Before installing SSL certificate and Intermediate CA certificate on Web server such as Apache, you may want to verify them.
\nYou can do it using OpenSSL openssl command.<\/p>\n
s_server implements a generic SSL\/TLS server which accepts connections from remote clients speaking SSL\/TLS.<\/p>\n
openssl s_server -cert <path\/to\/certificate> -key <path\/to\/private key> -CAfile <path\/to\/Intermediate CA certificate>\r\n<\/pre>\nExample:<\/strong><\/p>\n
$ openssl s_server -cert server.crt -key server.key -CAfile intermediate.crt \r\nUsing default temp DH parameters\r\nUsing default temp ECDH parameters\r\nACCEPT\r\n<\/pre>\nTest with openssl s_client<\/h2>\n
Connect to the server using openssl s_client and verify certificates.
\ns_client implements a generic SSL\/TLS client which can establish a transparent connection to a remote server speaking SSL\/TLS.<\/p>\nopenssl s_client -connect localhost:4433 -CAfile <path\/to\/CA certificate>\r\n<\/pre>\nExample of CA certificate:<\/strong><\/p>\n
\n
- Mac OS X
\n\/etc\/openssl\/cert.pem
\n\/opt\/local\/etc\/openssl\/cert.pem\u3001\/opt\/local\/share\/curl\/curl-ca-bundle.crt (with MacPorts)\n<\/li>\n- \nUbuntu (You need to install ca-certificates using apt)
\n\/etc\/ssl\/certs\/ca-certificates.crt\n<\/li>\n- \nCentOS
\nCA certificate id in \/etc\/pki\/tls\/certs\/ca-bundle.crt but you don't have to specify it.\n<\/li>\n<\/ul>\nExample:<\/strong><\/p>\n
$ openssl s_client -connect localhost:4433 -CAfile \/opt\/local\/share\/curl\/curl-ca-bundle.crt\r\nCONNECTED(00000003)\r\ndepth=3 (omitted)\r\nverify return:1\r\ndepth=2 (omitted)\r\nverify return:1\r\ndepth=1 (omitted)\r\nverify return:1\r\ndepth=0 (omitted)\r\nverify return:1\r\n---\r\nCertificate chain\r\n 0 s:(omitted)\r\n i:(omitted)\r\n 1 s:(omitted)\r\n i:(omitted)\r\n 2 s:(omitted)\r\n i:(omitted)\r\n 3 s:(omitted)\r\n i:(omitted)\r\n---\r\nServer certificate\r\n-----BEGIN CERTIFICATE-----\r\n(omitted)\r\n-----END CERTIFICATE-----\r\nsubject=(omitted)\r\nissuer=(omitted)\r\n---\r\nNo client certificate CA names sent\r\n---\r\nSSL handshake has read 4744 bytes and written 443 bytes\r\n---\r\nNew, TLSv1\/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384\r\nServer public key is 2048 bit\r\nSecure Renegotiation IS supported\r\nCompression: zlib compression\r\nExpansion: zlib compression\r\nSSL-Session:\r\n Protocol : TLSv1.2\r\n Cipher : ECDHE-RSA-AES256-GCM-SHA384\r\n Session-ID: (omitted)\r\n Session-ID-ctx: \r\n Master-Key: (omitted)\r\n Key-Arg : None\r\n PSK identity: None\r\n PSK identity hint: None\r\n SRP username: None\r\n TLS session ticket lifetime hint: 300 (seconds)\r\n TLS session ticket:\r\n (omitted)\r\n Compression: 1 (zlib compression)\r\n Start Time: 1421023132\r\n Timeout : 300 (sec)\r\n Verify return code: 0 (ok)\r\n---\r\n<\/pre>\nAfter you have installed certificates on the server, verify them with s_client like below.
\n -servername is needed for SNI (Server Name Indication).<\/p>\n\n
- \nMac OS X<\/p>\n
$ openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts -CAfile \/opt\/local\/etc\/openssl\/cert.pem\r\n<\/pre>\n<\/li>\n- \nCentOS<\/p>\n
$ openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts\r\n<\/pre>\n<\/li>\n- \nUbuntu
\n(You need to install ca-certificates using apt)<\/p>\n$ openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts -CAfile \/etc\/ssl\/certs\/ca-certificates.crt\r\n<\/pre>\n<\/li>\n<\/ul>\nIf you want to show expiring date of certificate, <\/p>\n
$ echo | openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts 2>\/dev\/null | openssl x509 -noout -dates\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"Before installing SSL certificate and Intermediate CA certificate on Web server such as Apache, you may want t … Continue reading Testing SSL certificate with OpenSSL commands<\/span>