Verify Certificate With OpenSSL
The short answer
To check the expiration date of a PEM certificate and thus verify that it is still valid, you can use the following [.inline-code]openssl x509[.inline-code] command:
Which will write to the standard output the [.inline-code]notAfter[.inline-code] field of the certificate.
For example:
You can learn more about generating self-signed certificates with our article on how to generate a certificate signing request.
[#easily-recall-with-ai]Easily retrieve this command using Warp’s AI Command Search[#easily-recall-with-ai]
If you’re using Warp as your terminal, you can easily retrieve this command using the Warp AI Command Search feature:
Entering [.inline-code]check certificate expiration openssl[.inline-code] in the AI Command Search will prompt an [.inline-code]openssl[.inline-code] command that can then quickly be inserted into your shell by doing [.inline-code]CMD+ENTER[.inline-code].
[#verify-a-file-certificate]Verifying a file certificate[#verify-a-file-certificate]
To decode and verify an entire certificate, you can use the following command:
Where:
- [.inline-code]cert[.inline-code] is the path to the file certificate.
- The [.inline-code]-noout[.inline-code] flag is used to prevent the output of the encoded version of the request.
- The [.inline-code]-text[.inline-code] flag is used to output the certificate in text form, including its public key, signature algorithms, etc.
For example:
[#verify-a-website-certificate]Verifying a website’s certificate[#verify-a-website-certificate]
To verify the certificate of a website, you can use the following [.inline-code]openssl s_client[.inline-code] command:
Which will retrieve the website's certificate identified by [.inline-code]domain[.inline-code] (e.g. [.inline-code]example.com[.inline-code]) and output its details in the terminal window, including its chain, issuer, and other information.
For example:
Once downloaded, you can close the client connection by pressing [.inline-code]CTRL[.inline-code] + [.inline-code]c[.inline-code].
Alternatively, you can use the pipe operator combined with the [.inline-code]openssl x509[.inline-code] command to directly decode and verify the certificate as follows:
Note that to save the certificate into a file on your local machine for future processing, you can use the output redirection operator as follows:
[#verify-a-certificate-and-key-match]Verifying a certificate and a private key match[#verify-a-certificate-and-key-match]
To verify that a certificate and a private key match, you can compare their modulus by first extracting the modulus of the certificate using the following command:
Then, by extracting the modulus of the private key using the following command:
Finally, by comparing these two files using the [.inline-code]diff[.inline-code] command:
Which will result in no output if the files are identical.
[#verify-a-certificate-chain]Verifying a certificate chain[#verify-a-certificate-chain]
A certificate chain is a series of certificates that are linked together to establish trust and verify the authenticity of a digital certificate.
To verify a certificate chain, you can use the [.inline-code]openssl verify[.inline-code] command as follows:
Where:
- The [.inline-code]-untrusted[.inline-code] flag is used to specify the file path of the intermediate certificate.