How to Check SSL Certificates Details with Open SSL in Linux?

SSL certificates are now a requirement for any website. If you don’t encrypt your site, browsers will flag it as not secure, leaving visitors with an annoying warning message. But even if you add an SSL certificate, managing it is tricky. An SSL error may pop up unexpectedly, causing you all sorts of trouble.

To avoid SSL outages, you should monitor your SSL certificate frequently and always replace it on time. And, with certs expiring in one year, this task can become quite a chore. Thankfully, there are SSL tools to help you manage your certificates, and not a single program does a better job than the versatile OpenSSL utility.

With OpenSSL, you can apply for your digital certificate (Generate the Certificate Signing Request) and install the SSL files on your server. You can also convert your certificate into various SSL formats, as well as do all kinds of verifications. In this article, we’ll show you how to verify SSL certificate details using OpenSSL in Linux. 

Most Linux systems will have OpenSSL pre-installed, but it’s better to ensure you have the latest running version. You can check your OpenSSL version by running the following command: 

openssl version –a

Certificate files in Linux are located by default in the /etc/pki/tls/certs folder or sometimes within an application-specific folder such as /etc/httpd for Apache. These generally use .pem or .crt extensions and will likely be named yourdomain.pem or yourdomain.crt, but sometimes the generic “server” file name is used as well. If you’ve applied for the SSL certificate and installed it on the server, you should already know its location and file names.

Check the full details of the certificate

OpenSSL provides a rich variety of commands to generate, install, and manage certificates. To check the details of a particular certificate, run the following command:

openssl x509 -in (path to certificate and certificate filename) -text -noout

Here’s what you should see:

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

40:01:6e:fb:0a:20:5c:fa:eb:e1:8f:71:d7:3a:bb:78

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=US, O=DigiCert, Inc, CN=DigiCert SHA2 

Validity

Not Before: Jun 31 23:32:14 2021 GMT

Not After : Jun 31 23:32:14 2022 GMT

Subject: C=US, ST=CA, L=Sacramento, O=Yourplc, OU=IT, CN=yourplc.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:e9:0d:7a:8c:55:54:4f:ef:67:a7:a0:54:de:8f:

bd:6c:cd:fe:e5:01:22:40:90:df:39:97:5a:f6:76:

c1:d9:00:d7:88:7e:7b:63:65:99:59:be:08:4a:3c:

2b:63:13:0d:42:3e:95:9d:cf:2f:2e:48:35:0e:9c:

6c:3f:b5:fd:75:4f:7c:86:34:80:c1:86:be:bf:0e:

0a:da:a7:eb:8b:97:9f:29:34:1b:fa:c8:b4:f5:57:

ec:98:a9:d1:d4:dc:07:6e:e0:14:51:a3:7a:5e:1c

fc:2d

Show the SSL certificate itself (encoded):

$ echo | openssl s_client -servername howtouselinux.com -connect yourplc.com:443 2>/dev/null | openssl x509

—–BEGIN CERTIFICATE—–

AWZLFWDASdwIBAaSA4b0Yz00UKhHzPeZEB95HCHIMA0GCSqGSIb3DQEBCwUA

MEoxCzAJBgNVBAYTAlV103MRYwFAYDVaQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD

GxadMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMTgxMDU1MDBaFw0x

[…]

—–END CERTIFICATE—–

Verify if the Keys Match

To verify the public and private keys match, you need to extract the public key from each file and generate a hash output for it. All three files should share the same public key and the same hash value.

Use the following commands to generate a hash of each file’s public key:

openssl pkey -pubout -in privateKey.key | openssl sha256

openssl req -pubkey -in CSR.csr -noout | openssl sha256

openssl x509 -pubkey -in certificate.crt -noout | openssl sha256

Check who issued the SSL certificate

$ echo | openssl s_client -servername yourplc.com -connect yourplc.com:443 2>/dev/null | openssl x509 -noout -issuer

issuer= /C=US/DigiCert Inc/CN=DigiCert SHA2

Check whom the SSL certificate is issued to

$ echo | openssl s_client -servername .com -connect howtoyourplcuselinux.com:443 2>/dev/null | openssl x509 -noout -subject

 Subject= /CN=yourplc.com

Check the validity of the SSL certificate

$ echo | openssl s_client -servername howtouselinux.com -connect yourplc.com:443 2>/dev/null | openssl x509 -noout -dates

notBefore=Jun 31 23:32:14 2021 GMT

notAfter=Jun 31 23:32:14 2022 GMT

Display the all above info about the SSL certificate

$ echo | openssl s_client -servername howtouselinux.com -connect yourplc.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

echo | openssl s_client -servername yourplc.com -connect yourplc.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

issuer= /C=US/O=DigiCert Inc/CN=DigiCert SHA2

subject= /CN=yourplc.com

notBefore=Jun 31 23:32:14 2021 GMT

notAfter=Jun 31 23:32:14 2022 GMT

Final Words

If something goes wrong with your SSL connection, verifying your certificate’s details is the first step towards finding the culprit. In OpenSSL, you have a great utility to perform all kinds of checks, from inspecting the certificate issuer to analyzing technical data and seeing when the certificate expires. OpenSSL integrates with Linux and provides control over SSL installation via its flexible command lines.