How to Check SSL Certificate Details in Linux with OpenSSL

How to Check SSL Certificate Details in Linux with OpenSSL

In this tutorial, I’ll show you how to check SSL certificate details in Linux with OpenSSL. In my case, I’m using CentOS 6.6 on my virtual machine but the commands are mostly the same across all Linux distros.

Install OpenSSL

To install OpenSSL on your Linux machine, you can use a package manager like apt or yum. First, update your package repositories. Then, install the openssl package. Once it’s installed, you can use the openssl command to check certificate details. You’ll need to get your public key first by typing

keytool -exportcert -alias  is the location of the keystore containing that certificate. You’ll be prompted for a password, which should be the same as one used when creating the keystore. When asked for an output filename, type . In order to import this file back into Java KeyStore at a later time, enter import when prompted. If not, just hit Enter and skip ahead to You can now query information about the certificate.

Select Import -> File from the menu. Browse to where you saved your exported CSR and select it (it will have a .csr extension). Enter is as the alias name and enter any desired password. Press Next then Finish to complete importing your certificate.

Read the Certificate File

The first step is to read the certificate file. You can do this with the openssl command. Just specify the file name as an argument. For example, if your certificate is in a file called certificate.crt, you would type openssl x509 -in certificate.crt -text -noout

This will return the text of all of the fields for that certificate.

If there are multiple certificates in one file, use:

openssl x509 -in filename.pem -text -noout This will give you the details of each individual certificate. To just see details about the commonName field for each certificate, you could type:

openssl x509 -in filename.pem -text ‘subjectAltName=commonName’

or to show only subjectAltNames which have test as their value, you could use:

openssl x509 -in filename.pem -text ‘subjectAltName=commonName’ grep test The search returns lines where the string test appears as a value in the subjectAltName=comonName field. As expected, there are no such lines because we have not given it any arguments specifying what values to look for!

Create an Empty Server Key

  1. In your terminal, type: openssl genrsa -des3 -out server.key 1024
  2. You will be prompted to enter a password.
  3. Enter a strong password and press Enter.
  4. Now we will remove the password so that Apache can start without prompting us for a password. Type: openssl rsa -in server.key -out newserver.key
  5. You will be prompted for the password you entered earlier.
  6. Enter your password and press Enter.
  7. Finally, we need to change the permissions on the key file so that only the root user can read it: chmod 600 newserver
  8. You should now have a server key named newserver.key . It’s important to note that this is an RSA private key and not an RSA public key.
  9. We also want to create an empty SSL certificate called servercert.pem. To do this, we’ll first generate an RSA certificate signing request (CSR) by typing: openssl req -new -key newserver.key -out servercert.csr
  10. Next, copy the entire text of the CSR into a new file called servercert.csr in the same directory as your keyfile. Change CN (Common Name) field to Server. Save and close the file when done editing it.
  11. Generate an self-signed SSL certificate by typing:

openssl x509 -req -days 365 -in servercert.csr \

-signkey newserver.key \ -out servercert.crt

  1. The last step is to make sure the paths are correct and that your certificates are readable by all users. If not, run: chmod 400 *
  2. There you go! Your certificate files are ready! Put them in a safe place such as /etc/ssl/private/.

Create Self-Signed Certificates

  1. To create a self-signed certificate using OpenSSL, you will first need to generate a private key. This can be done by running the following command:
  2. openssl genrsa -out mysite.key 2048
  3. Once you have generated the private key, you will need to create a CSR (Certificate Signing Request). This can be done by running the following command:
  4. openssl req -new -key mysite.key -out mysite.csr
  5. You will then be prompted to enter some information about your organization and the site you are creating the certificate for. Press enter on all of these prompts as they can all be left blank.
  6. Lastly, you will need to sign the CSR using the CA’s public key which is located in their local certificate store or on a trusted server. Run this command to import their public key:
  7. openssl x509 -req -days 365 -in yourCAcertsfile.crt \ -CAcreateserial \ -in mysite.csr \ -out mysitecertfile.crt
  8. If everything was successful, you should see no errors and two files containing your certificate and private key. Now you just need to extract your private key and place it somewhere safe so that it cannot be accessed via SSH.
  9. The next step is to copy the contents of mysitecertfile.crt into a new file called ssl-test.crt, then rename it to ssltestserver1.crt and place it in /etc/ssl/private/. Now we need to set up our configuration file so that Apache can use this certificate when serving sites over HTTPS:
  10. sudo vi /etc/apache2/sites-available/default
  11. Find line Listen 80 uncomment it by removing # from beginning of line, below change 80 443 ->80 443 12. Restart apache server to apply changes sudo service apache2 restart
  12. To check your website is now available only over https, run curl https://localhost/ if not try restarting apache

Store and Utilize CA Files

OpenSSL is a powerful tool that can be used for a variety of tasks related to Public Key Infrastructure (PKI) and HTTPS. In this post, we’ll show you how to use OpenSSL to check SSL certificate details in Linux. First, store the CA files from your system’s package manager so they’re easily accessible:

sudo apt-get install ca-certificates sudo yum install ca-certificates Then run the following command using the hostname of the site: openssl s_client -connect HOSTNAME:443 -servername HOSTNAME

. . . If it all checks out, you should see something like this: CONNECTED(00000003) depth=2 C = US, O = Google Inc, CN = Google Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 — Certificate chain 0 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=(c) 1998 GeoTrust Inc. – For authorized use only/CN=(c) 1998 GeoTrust Inc.

How to Use Google's Gboard Keyboard on Your iOS or Android Device Previous post How to Use Google’s Gboard Keyboard on Your iOS or Android Device
Ransomware actors are adding DDoS attacks to their arsenals Next post Ransomware actors are adding DDoS attacks to their arsenals

Leave a Reply

Your email address will not be published. Required fields are marked *