Thursday, 10 January 2013

Commands to Check SSL cert’s validity and other details


All digital certificates contain an expiration date which most client and server applications will check before using the certificates contents. ssl-cert-check is provided free of charge.

$ ssl-cert-check -h
Usage: ssl-cert-check [ -e email ] [ -x expir_days ] [ -q ] [ -a ] [ -h ] [-i]
      {[ -s common_name ] && [ -p port]} || {-f cert_file} || {-c certificate file}

  -a                        : Send a warning message through email
  -c cert file          : Print the expiration date for a PEM formatted
                                        certificate passed as an option
  -e email address    : Email address to send expiration notices
  -f cert file               : File with a list of FQDNs and ports
  -h                            : Print this screen
  -i                             : Print the issuer of the certificate
  -p port                   : Port to connect to (interactive mode)
  -s commmon name  : Server to connect to (interactive mode)
  -q                                : Don't print anything on the console
  -x days                       : Certificate expiration interval (eg. if cert_date < days)

1. To view the date when a certificate stored in the file cacert.pem will expire, ssl-cert-check can be executed with the “-c” (certificate file to process) option and the certificate to process: 

$ ssl-cert-check -c /etc/ca/cacert.pem
Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------
FILE:/etc/ca/cacert.pem                         Valid        Jan 2 2008   807 

2. To check when the certificate used by the web server will 
expire, the server name or IP address and a port number can be passed to
 ssl-cert-check's "-s" (server name) and "-p" (tcp port) options:
 $ ssl-cert-check -s -p 443
 Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------                                Valid        Jun 20 2006  246
3. If you manage dozens of SSL-enabled servers, you can place the server 
names and port numbers in a file, and run ssl-cert-check against that 

$ cat ssldomains 443 443 443 443 443

$ ssl-cert-check -f ssldomains
Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------                            Valid        May 23 2006  218                           Valid        Jun 20 2006  246                            Valid        Jun 7 2006   233                                 Valid        May 11 2009  1302                              Connection refused Unknown Unknown

4. When ssl-cert-check is executed with the "-i" (print issuer) option, 
the issuer is printed along with the certificate expiration date:
$ ssl-cert-check -i -f ssldomains
Host                                Issuer            Status   Expires     Days Left
----------------------------------- ----------------- -------- ----------- ---------                Comodo Limited    Valid    May 23 2006 218               Equifax Secure In Valid    Jun 20 2006 246                Thawte Consulting Valid    Jun 7 2006  233                     Sun Microsystems  Valid    May 11 2009 1302                  Unknown           Connection refused Unknown Unknown

5. The expiration interval can be controlled with ssl-cert-check's "-x" 
(expiration interval) option, and the e-mail address to send notifications can be 
passed as an argument to the "-e" (e-mail address to send alerts) option.
The following example uses both options to send an e-mail notification if one of
more of the hosts listed in the file ssldomains contains a certificate that will 
expire within the next 60-days:

$ ssl-cert-check -a -f ssldomains -q -x 60 -e
=================Another Way=========================== 
1. Get complete available details of an SSL certificate

openssl x509 -text -in ssl.cert 
2. Who issued the certificate?

openssl x509 -noout -in ssl.cert -issuer

3. To whom the certificate was issued?

openssl x509 -noout -in ssl.cert -subject

4. To check the expiry date of SSL certificate

openssl x509 -noout -in ssl.cert -dates

5. To get SSL cert’s hash value

openssl x509 -noout -in ssl.cert -hash

6. To get SSL cert’s MD5 fingerprint

openssl x509 -noout -in ssl.cert -fingerprint

To check CSR: openssl req -noout -text -in new.csr 

To check key: openssl rsa -noout -text -in new.key 

1 comment: