Check SSL certificates

This post is mostly a collection of commands to check SSL certificates and make sure they are what you think they are. Especially when things do not go as expected, these commands are handy to have around. First, some definitions. We call the signed certificate cert.crt, the private key server.key, the certificate sign request cert.csr and any intermediate/chain certificates chain.pem. Substitude in the commands below with your files. It’s assumed you have all these certificates in the PEM format, for easy use with Apache’s mod_ssl.

Checking if the CSR is actually a public key from your serverkey

You need to check the modulo of the private key and the certificate sign request. The output of these two commands should be the same if the csr is made with this server key.

$ openssl rsa -noout -modulus -in server.key | openssl md5
$ openssl req -noout -modulus -in cert.csr | openssl md5

Checking if a signed certificate is actually created from the CSR that you created

You need to check the modulo of both files. The output of the two commands should be the same.

$ openssl x509 -noout -modulus -in cert.crt | openssl md5
$ openssl req -noout -modulus -in cert.csr | openssl md5

Checking if a signed certificate is actually the public key from your serverkey

This should be obvious if you read the two items above. The output of both commands should be the same.

$ openssl x509 -noout -modulus -in cert.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

Checking if the chain file actually applies to the signed certificate

openssl verify -CAfile chain.pem -verbose cert.crt

Output the details from a certificate sign request

openssl req -text -in cert.csr

Output the details from a signed certificate

openssl x509 -text -in cert.crt

Tags: , , , , , ,


Comments are closed.

Kumina designs, builds, operates and supports Kubernetes solutions that help companies thrive online. As Certified Kubernetes Service Partner, we know how to build real solutions.