Verify Certificate With OpenSSL
Razvan Ludosanu
Founder, learnbackend.dev
Published: 1/31/2024
The short answer
To check the expiration date of a PEM certificate and thus verify that it is still valid, you can use the following openssl x509 command:
$ openssl x509 -in <cert> -noout -enddate
Run in Warp
Which will write to the standard output the notAfter field of the certificate.
For example:
$ openssl x509 -in mycert.cer -noout -enddate
notAfter=Sep 19 23:59:59 2023 GMT
Run in Warp
You can learn more about generating self-signed certificates with our article on how to generate a certificate signing request.
Easily retrieve this command using Warp’s AI Command Search
If you’re using Warp as your terminal, you can easily retrieve this command using the Warp AI Command Search feature:
Entering check certificate expiration openssl in the AI Command Search will prompt an openssl command that can then quickly be inserted into your shell by doing CMD+ENTER.
Verifying a file certificate
To decode and verify an entire certificate, you can use the following command:
$ openssl x509 -in <cert> -noout -text
Run in Warp
Where:
- cert is the path to the file certificate.
- The -noout flag is used to prevent the output of the encoded version of the request.
- The -text flag is used to output the certificate in text form, including its public key, signature algorithms, etc.
For example:
$ openssl x509 -in /etc/nginx/ssl/cert.pem -noout -text
Run in Warp
Verifying a website’s certificate
To verify the certificate of a website, you can use the following openssl s_client command:
$ openssl s_client -connect <domain>:443
Run in Warp
Which will retrieve the website's certificate identified by domain (e.g. example.com) and output its details in the terminal window, including its chain, issuer, and other information.
For example:
$ openssl s_client -connect google.com:443
Run in Warp
Once downloaded, you can close the client connection by pressing CTRL + c.
Alternatively, you can use the pipe operator combined with the openssl x509 command to directly decode and verify the certificate as follows:
$ openssl s_client -connect <domain>:443 | openssl x509 -noout -text
Run in Warp
Note that to save the certificate into a file on your local machine for future processing, you can use the output redirection operator as follows:
$ openssl s_client -connect <domain>:443 > cert.pem
Run in Warp
Verifying a certificate and a private key match
To verify that a certificate and a private key match, you can compare their modulus by first extracting the modulus of the certificate using the following command:
$ openssl x509 -noout -modulus -in <certificate>> cert_mod
Run in Warp
Then, by extracting the modulus of the private key using the following command:
$ openssl rsa -noout -modulus -in <private_key> > pkey_mod
Run in Warp
Finally, by comparing these two files using the diff command:
$ diff cert_mod pkey_mod
Run in Warp
Which will result in no output if the files are identical.
Verifying a certificate chain
A certificate chain is a series of certificates that are linked together to establish trust and verify the authenticity of a digital certificate.
To verify a certificate chain, you can use the openssl verify command as follows:
$ openssl verify -untrusted <intermediary-certificate> <certificate>
Run in Warp
Where:
- The -untrusted flag is used to specify the file path of the intermediate certificate.
Written by
Razvan Ludosanu
Founder, learnbackend.dev
Filed Under
Related Articles
List Open Ports in Linux
Learn how to output the list of open TCP and UDP ports in Linux, as well as their IP addresses and ports using the netstat command.
Count Files in Linux
Learn how to count files and folders contained in directories and subdirectories in Linux using the ls, find, and wc commands.
How to Check the Size of Folders in Linux
Learn how to output the size of directories and subdirectories in a human-readable format in Linux and macOS using the du command.
Linux Chmod Command
Understand how to use chmod to change the permissions of files and directories. See examples with various chmod options.
POST JSON Data With Curl
How to send valid HTTP POST requests with JSON data payloads using the curl command and how to avoid common syntax pitfalls. Also, how to solve the HTTP 405 error code.
Format Command Output In Linux
Learn how to filter and format the content of files and the output of commands in Linux using the awk command.
Create Groups In Linux
Learn how to manually and automatically create and list groups in Linux.
Switch Users In Linux
Learn how to switch between users, log in as another user, and execute commands as another user in Linux.
Remover Users in Linux
Learn how to remove local and remote user accounts and associated groups and files in Linux using the userdel and deluser commands.
Delete Files In Linux
Learn how to selectively delete files in Linux based on patterns and properties using the rm command.
Find Files In Linux
Learn how to find and filter files in Linux by owner, size, date, type and content using the find command.
Copy Files In Linux
Learn how to safely and recursively copy one or more files locally and remotely in Linux using the cp and scp command.