Testing SSL certificate with OpenSSL commands

Before installing SSL certificate and Intermediate CA certificate on Web server such as Apache, you may want to verify them.
You can do it using OpenSSL openssl command.

Start SSL/TLS server using openssl s_server

s_server implements a generic SSL/TLS server which accepts connections from remote clients speaking SSL/TLS.

openssl s_server -cert <path/to/certificate> -key <path/to/private key> -CAfile <path/to/Intermediate CA certificate>

Example:

$ openssl s_server -cert server.crt -key server.key -CAfile intermediate.crt 
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

Test with openssl s_client

Connect to the server using openssl s_client and verify certificates.
s_client implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS.

openssl s_client -connect localhost:4433 -CAfile <path/to/CA certificate>

Example of CA certificate:

  • Mac OS X
    /etc/openssl/cert.pem
    /opt/local/etc/openssl/cert.pem、/opt/local/share/curl/curl-ca-bundle.crt (with MacPorts)
  • Ubuntu (You need to install ca-certificates using apt)
    /etc/ssl/certs/ca-certificates.crt
  • CentOS
    CA certificate id in /etc/pki/tls/certs/ca-bundle.crt but you don't have to specify it.

Example:

$ openssl s_client -connect localhost:4433 -CAfile /opt/local/share/curl/curl-ca-bundle.crt
CONNECTED(00000003)
depth=3 (omitted)
verify return:1
depth=2 (omitted)
verify return:1
depth=1 (omitted)
verify return:1
depth=0 (omitted)
verify return:1
---
Certificate chain
 0 s:(omitted)
   i:(omitted)
 1 s:(omitted)
   i:(omitted)
 2 s:(omitted)
   i:(omitted)
 3 s:(omitted)
   i:(omitted)
---
Server certificate
-----BEGIN CERTIFICATE-----
(omitted)
-----END CERTIFICATE-----
subject=(omitted)
issuer=(omitted)
---
No client certificate CA names sent
---
SSL handshake has read 4744 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: (omitted)
    Session-ID-ctx: 
    Master-Key: (omitted)
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    (omitted)
    Compression: 1 (zlib compression)
    Start Time: 1421023132
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

After you have installed certificates on the server, verify them with s_client like below.
-servername is needed for SNI (Server Name Indication).

  • Mac OS X

    $ openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts -CAfile /opt/local/etc/openssl/cert.pem
    
  • CentOS

    $ openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts
    
  • Ubuntu
    (You need to install ca-certificates using apt)

    $ openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts -CAfile /etc/ssl/certs/ca-certificates.crt
    

If you want to show expiring date of certificate,

$ echo | openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts 2>/dev/null | openssl x509 -noout -dates