Over the last week I’ve been dealing with a number of issues relating to SSL certs; one discovery where the SSL cert expired yesterday, another standard update of a SSL cert, and then the fun of swapping from one server to another with different certs. In each of these cases it’s important to know that the right certificate is in place.
You can check these things in the browser - the padlock icon next to the web address works… however jumping in and out of terminal, making sure that the browser hasn’t cached anything, can get a bit annoying… So how do you do this in the terminal?
echo | openssl s_client -showcerts -connect jamesdoc.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
This will output a whole load of things… but normally the most important things to look out for - where the cert was issued, and how long is it valid for?
Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Feb 10 09:00:30 2021 GMT Not After : May 11 09:00:30 2021 GMT
openssl s_client -showcerts -connect jamesdoc.com:443
first we’re using OpenSSL’s
s_client  which can be used as a debugging tool for connecting to a server using SSL, passing in a couple of options:
showcerts: We want to see the SSL certificate
connect: What server and port are we going to talk to?
443is the typical port for SSL connections
There are many more options you can pass in. But we don’t need them here.
This command outputs a lot more than we need to know so we discard any errors (
2>/dev/null) and pipe (
|) the response into another part of OpenSSL - x509. It is described as a “certificate display and signing utility” . We’re using it here to review the output of
s_client and the display the cert information.
openssl x509 -inform pem -noout -text
inform pem: What format is the data that is being fed into the command -
s_clientgives is PEM (apparently).
noout: Don’t display the encoded version of the request
text: Output the cert in text form