Verify: SSL Certificate Under OpenSSL

All UNIX / Linux applications linked against the OpenSSL libraries can verify certificates signed by a recognized certificate authority (CA). How do I verify SSL certificates using OpenSSL command line toolkit itself under UNIX like operating systems without using third party websites?

You can pass the verify option to openssl command to verify certificates as follows:
$ openssl verify pem-file
$ openssl verify mycert.pem
$ openssl verify

Sample outputs: OK

You will see OK message if everything checks out. If a certificate has expired, it will complain about it. Please note that OpenSSL won’t verify a self-signed certificate. You can also retrieve the certificate as follows and verify the same:
$ mkdir -p ~/.cert/
$ cd ~/.cert/
$ openssl s_client -showcerts -connect

Copy from the “—–BEGIN CERTIFICATE—–” to the “—–END CERTIFICATE—–” , and save it in your ~/.cert/ directory as file. By default OpenSSL is configured to use various certificate authorities your system trusts and stored in /usr/lib/ssl/ directory. You can verify this using the following command:
$ openssl version -d
Sample outputs:

OPENSSLDIR: "/usr/lib/ssl"

Another option is to get certificate from the CA repository:
$ wget -O ~/.cert/
Finally, create a symbolic link to files named by the hash values using c_rehash, enter:
$ c_rehash ~/.cert/
To confirm you have the correct and working certificates, enter:
$ openssl s_client -CApath ~/.cert/ -connect

References (suggested readings):

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

How to Make Website WCAG Compliant?

Next Post

Link download Kali Linux 2020.1 (ISO + Torrent)

Related Posts