Last Updated: February 25, 2016
·
3.749K
· erebusbat

Use OpenSSL to read current site SSL Certificate Info

I was uspgrading my site's SSL certificates the other day and I wanted a foolproof, quick way to check that the server was indeed serving the new certificate. With some GoogleFu and man reading I came up with:

$ openssl s_client -connect www.github.com:443  < /dev/null 2>/dev/null | openssl x509 -noout -fingerprint -subject -email -dates -fingerprint

subject= /businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
notBefore=Jun 10 00:00:00 2013 GMT
notAfter=Sep  2 12:00:00 2015 GMT
SHA1 Fingerprint=D7:12:E9:69:65:DC:F2:36:C8:74:C7:03:7D:C0:B2:24:A9:3B:D2:33

It is also possible to dump the whole certificate in text form if you really need that, but it is harder for quick checks (without some grep action):

$ openssl s_client -connect www.github.com:443  < /dev/null 2>/dev/null | openssl x509 -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:7f:be:2e:4b:de:00:84:d2:ca:f8:e3:ec:fe:70:58
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV CA-1
        Validity
            Not Before: Jun 10 00:00:00 2013 GMT
            Not After : Sep  2 12:00:00 2015 GMT
        Subject: businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107, C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ed:d3:89:c3:5d:70:72:09:f3:33:4f:1a:72:74:
                    d9:b6:5a:95:50:bb:68:61:9f:f7:fb:1f:19:e1:da:
                    04:31:af:15:7c:1a:7f:f9:73:af:1d:e5:43:2b:56:
                    09:00:45:69:4a:e8:c4:5b:df:c2:77:52:51:19:5b:
                    d1:2b:d9:39:65:36:a0:32:19:1c:41:73:fb:32:b2:
                    3d:9f:98:ec:82:5b:0b:37:64:39:2c:b7:10:83:72:
                    cd:f0:ea:24:4b:fa:d9:94:2e:c3:85:15:39:a9:3a:
                    f6:88:da:f4:27:89:a6:95:4f:84:a2:37:4e:7c:25:
                    78:3a:c9:83:6d:02:17:95:78:7d:47:a8:55:83:ee:
                    13:c8:19:1a:b3:3c:f1:5f:fe:3b:02:e1:85:fb:11:
                    66:ab:09:5d:9f:4c:43:f0:c7:24:5e:29:72:28:ce:
                    d4:75:68:4f:24:72:29:ae:39:28:fc:df:8d:4f:4d:
                    83:73:74:0c:6f:11:9b:a7:dd:62:de:ff:e2:eb:17:
                    e6:ff:0c:bf:c0:2d:31:3b:d6:59:a2:f2:dd:87:4a:
                    48:7b:6d:33:11:14:4d:34:9f:32:38:f6:c8:19:9d:
                    f1:b6:3d:c5:46:ef:51:0b:8a:c6:33:ed:48:61:c4:
                    1d:17:1b:bd:7c:b6:67:e9:39:cf:a5:52:80:0a:f4:
                    ea:cd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5

            X509v3 Subject Key Identifier: 
                87:D1:8F:19:6E:E4:87:6F:53:8C:77:91:07:50:DF:A3:BF:55:47:20
            X509v3 Subject Alternative Name: 
                DNS:github.com, DNS:www.github.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 
                URI:http://crl3.digicert.com/evca1-g2.crl
                URI:http://crl4.digicert.com/evca1-g2.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114412.2.1
                  CPS: http://www.digicert.com/ssl-cps-repository.htm
                  User Notice:
                    Explicit Text: 

            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceEVCA-1.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha1WithRSAEncryption
        5f:15:6d:67:c3:3a:d5:a3:de:16:9c:45:33:26:d5:3d:c9:16:
        74:34:ca:87:48:1b:14:90:6d:f5:ab:47:86:b9:f5:b8:e3:01:
        45:65:68:ee:a9:12:75:9f:76:26:ef:11:7c:7d:38:cf:dd:f7:
        4a:19:09:f1:20:72:92:b0:4d:27:ba:e8:7f:5d:b4:17:e4:3a:
        41:26:49:c7:74:61:68:2f:06:3c:c5:9f:49:3c:8e:7b:be:0b:
        f3:2e:8f:3e:7f:01:f2:66:9d:d5:9b:fa:39:21:82:c4:41:58:
        92:a3:e9:e5:39:25:10:f1:80:15:aa:ee:8a:72:c3:ff:7b:ad:
        76:52:2a:92:f9:43:01:9a:07:71:f4:a3:c3:0f:36:72:e0:c2:
        59:0b:68:5b:7d:4a:17:8f:d0:39:e2:62:4d:f1:cb:84:38:fc:
        b0:dd:cd:f2:28:e7:2a:fe:1e:3c:2b:35:60:b9:05:e2:49:d2:
        5b:c1:fa:8d:21:b4:3d:a0:93:3e:63:30:e3:cd:2e:b6:f9:30:
        ad:35:23:56:cd:66:f0:00:16:42:9a:e4:31:2b:4a:04:39:26:
        d3:99:b8:71:50:5e:eb:34:3d:ff:fa:6c:7d:bb:c7:18:ff:fe:
        ee:03:12:d6:61:2e:60:21:99:42:6f:17:1f:d2:59:22:29:21:
        c9:07:7d:7d

I like Ubuntu's manpages, but this is not Ubuntu or even Debian specific. Here are some links for further reading: