Checking Which SSL Cert is Being Served

Thursday, 18 March 2021

Over the last week I’ve been dealing with a number of issues relating to SSL certs; one discovery where the SSL cert expired yesterday, another standard update of a SSL cert, and then the fun of swapping from one server to another with different certs. In each of these cases it’s important to know that the right certificate is in place.

You can check these things in the browser - the padlock icon next to the web address works… however jumping in and out of terminal, making sure that the browser hasn’t cached anything, can get a bit annoying… So how do you do this in the terminal?

echo | openssl s_client -showcerts -connect 2>/dev/null | openssl x509 -inform pem -noout -text

This will output a whole load of things… but normally the most important things to look out for - where the cert was issued, and how long is it valid for?

Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R3
    Not Before: Feb 10 09:00:30 2021 GMT
    Not After : May 11 09:00:30 2021 GMT

Going through the command…

openssl s_client -showcerts -connect

first we’re using OpenSSL’s s_client [1] which can be used as a debugging tool for connecting to a server using SSL, passing in a couple of options:

There are many more options you can pass in. But we don’t need them here.

This command outputs a lot more than we need to know so we discard any errors ( 2>/dev/null) and pipe (|) the response into another part of OpenSSL - x509. It is described as a “certificate display and signing utility” [2]. We’re using it here to review the output of s_client and the display the cert information.

openssl x509 -inform pem -noout -text

Back to all posts