There are times when it’s useful to be able to check an SSL cert’s subject or expiration date. In addition, it’s useful to both check the cert file and query a service. This is useful for more than just web servers; SMTP, IMAP, and LDAP are other services which use SSL certificates. There are several ways to check certs, and what I cover in this post is by no means exhaustive.
Checking a cert file
Perhaps the most straightforward way to check a certificate itself is by using the openssl command. The defaults for the command gives you a lot of information, so I normally limit it to only show the subject and dates (the first output line is wrapped, and typed input is in bold):
$ openssl x509 -noout -subject -dates -in www.washington.edu.cert subject= /C=US/ST=Washington/L=Seattle/O=University of Washington/OU=www.washington.edu Server Management/CN=www.washington.edu notBefore=Jul 11 18:05:59 2008 GMT notAfter=Jul 14 08:57:24 2009 GMT
It may seem strange to be giving the command a -noout flag, but that only suppresses the raw output.
There are times that everything looks right but a cert isn’t working. One explanation would be that the cert and key don’t match up. You can manually compare the moduli of the cert and key to make sure they match, but they’re 256 characters long. It’s usually enough to compare a few characters at the beginning and ending of each (better yet, of each line when the modulus wraps on a terminal window), but if you want to be sure, you can compare using uniq (long lines wrapped for clarity):
$ ( openssl x509 -noout -modulus -in www.washington.edu.cert ; \ > openssl rsa -noout -modulus -in www.washington.edu.key ) | uniq Modulus=B8C963C93378471D37AA32EA65B978E3C056D531B94FCEABCD5577E22427C9 1351EBE445AB2583365FE613DC989807F98903E33565F1AC370B29BFBFABFD2C849A11 8252E46F3A7635F8E4BE4D8733B12A1F317A4E46C7B86270BAAC5002D95B39FE465D8B E726F4EF7918BB9E103E9FB65F843DE9A53C675D391498A4A46DEF
If the moduli don’t match, you’ll see two lines instead of one.
Checking a cert over HTTPS
There are a couple quick ways to check a cert being used by a web server. The first is to once again use openssl, but there are a lot of parts to the command since you first have to retrieve the cert and then pipe that into a command to interpret it:
$ openssl s_client -connect www.washington.edu:443 -showcerts \ > </dev/null 2>/dev/null | openssl x509 -noout -subject -dates subject= /C=US/ST=Washington/L=Seattle/O=University of Washington/OU=www.washington.edu Server Management/CN=www.washington.edu notBefore=Jul 11 18:05:59 2008 GMT notAfter=Jul 14 08:57:24 2009 GMT
You can use the curl command, but it will give you much more output. Perhaps the simplest command is:
$ curl -vIs https://www.washington.edu
* About to connect() to www.washington.edu port 443 (#0)
* Trying 140.142.11.167... connected
* Connected to www.washington.edu (140.142.11.167) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /usr/share/curl/curl-ca-bundle.crt
CApath: none
* SSLv2, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: /C=US/ST=Washington/L=Seattle/O=University of
Washington/OU=www.washington.edu Server
Management/CN=www.washington.edu
* start date: 2008-07-11 18:05:59 GMT
* expire date: 2009-07-14 08:57:24 GMT
* common name: www.washington.edu (matched)
* issuer: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte
Consulting cc/OU=Certification Services Division/CN=Thawte Premium
Server CA/emailAddress=premium-server {at} thawte(.)com
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.16.3 (powerpc-apple-darwin9.0) libcurl/7.16.3
OpenSSL/0.9.7l zlib/1.2.3
> Host: www.washington.edu
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Wed, 14 Jan 2009 00:10:03 GMT
Date: Wed, 14 Jan 2009 00:10:03 GMT
< Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8h DAV/2
PHP/5.2.6 mod_pubcookie/3.3.3 mod_uwa/3.2.1
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8h DAV/2
PHP/5.2.6 mod_pubcookie/3.3.3 mod_uwa/3.2.1
< Last-Modified: Tue, 13 Jan 2009 19:57:08 GMT
Last-Modified: Tue, 13 Jan 2009 19:57:08 GMT
< ETag: "a1826f-5ad1-46062a0d1ad00"
ETag: "a1826f-5ad1-46062a0d1ad00"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 23249
Content-Length: 23249
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html
Content-Type: text/html
<
* Connection #0 to host www.washington.edu left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Personally, I use the pair of openssl commands so I don’t have to hunt for the cert information. Using curl will, however, explicitly tell you about various cert problems, including a mismatched hostname and common name. It’s also a very useful tool to check what a web server is telling a browser.
Other protocols
For other protocols which are just SSL layered over the connection, you can check SSL certs using the same openssl commands as for checking HTTPS. You need to be sure to use the right protocol (such as 993 for IMAP) to use instead of 443.
SMTP uses a different method to enable SSL, so you need to check it differently:
$ openssl s_client -connect smtp.washington.edu:25 -starttls smtp \ > </dev/null 2>/dev/null|openssl x509 -noout -subject -dates subject= /C=US/ST=Washington/L=Seattle/O=University of Washington/OU=NDC/CN=smtp.washington.edu notBefore=Jan 30 18:02:51 2008 GMT notAfter=Feb 6 23:10:40 2009 GMT
Leave a Reply