Is there a way to check if an SSL certificate is valid without installing on a web server?

Question

Is there a way to check if an SSL certificate is valid without installing on a web server?

Are there any tools or mechanisms (mechanisms) that can help verify the SSL certificate issued by the CA before installing it on the target web server?

+6

ssl https ca digital-certificate

Suresh kumar 30 sept '13 at 8:28

source share

2 answers

The best and easiest way to verify the SSL issued by your CA is to decode it.

Here is a useful link to help you do this: http://www.sslshopper.com/csr-decoder.html

Hope this helps!

+6

Reinad Oct 11 '13 at 20:53

source share

Christian heimes · Accepted Answer · 2013-09-30T09:02:42+0000

Yes, you can use openssl to create a test server for your certificate using the s_server command. This creates a minimal SSL / TLS server that responds to HTTP requests on port 8080:

openssl s_server -accept 8080 -www -cert yourcert.pem -key yourcert.key -CAfile chain.pem

yourcert.pem is an X.509 certificate, yourcert.key is your private key, and chain.pem contains a chain of trust between your certificate and the root certificate. Your CA should have provided you with its ccp.pem and chain.pem files.

Then use openssl s_client to connect:

 openssl s_client -connect localhost:8080 -showcerts -CAfile rootca.pem

or on Linux:

 openssl s_client -connect localhost:8080 -showcerts -CApath /etc/ssl/certs

Caution: this command does not check if the host name matches the CN (common name) or SAN (subjectAltName) of your certificate. OpenSSL does not yet have a routine for the task. It will be added in OpenSSL 1.1.

Is there a way to check if an SSL certificate is valid without installing on a web server?

More articles: