SSL certificates are an important part of online security. They create a secure connection between your website and your visitors, which helps to protect their data. In order to keep your website safe, it is important to make sure that your SSL certificate is up-to-date and working properly.
In this blog post, we will discuss 6 ways to check your SSL certificate. SSL/TLS certificates verify and validate the identity of the certificate holder or applicant before authenticating it.
Check SSL certificate using web browser
One of the simplest ways to check an SSL certificate is through a web browser. When you visit a website, look for the padlock icon in the browser’s address bar.
Clicking on the padlock will display the certificate information, including the certificate issuer, validity dates, and encryption details. This method allows you to quickly verify the basic certificate information.
Check SSL certificate from a certificate file with Openssl command
The OpenSSL command is a tool used to manage SSL certificates. It can be used to view information about SSL certificates, as well as to troubleshoot and fix problems with them.
We can use the flowing command to check the SSL certificate.
openssl x509 -text -in certificate.crt -noout
The OpenSSL x509 command allows you to view the details of an SSL certificate. It can be used to view the certificate’s issuer, validity dates, and other information. To use the command, open a terminal and type “openssl x509 -in certificate_file -text”. This will print the text contents of the certificate to the terminal.
Example:
openssl x509 -in hydssl.cer -text -noout
You can also use the OpenSSL x509 command to check the expiration date of an SSL certificate.
To do this, type
openssl x509 -in certificate_file -checkend N
where N is the number of days in the future you want to check.
For example, if you wanted to check if a certificate will expire within the next 30 days, you would type “openssl x509 -in certificate_file -checkend 2592000”.
If you want to view the issuing authority of an SSL certificate, you can use the “-issuer” option. For example, “openssl x509 -in certificate_file -issuer”. This will print the issuer’s name and other information to the terminal.
You can also use the OpenSSL x509 command to check the revocation status of an SSL certificate.
To do this, type
openssl x509 -in certificate_file -CRL
This will print the Certificate Revocation List to the terminal. If a certificate is on this list, it has been revoked and should not be trusted.
Check SSL certificate from a server URL
The OpenSSL s_client command allows you to connect to an SSL server and view the certificate information. It can be used to verify that the SSL certificate is valid and has not been revoked.
To use the command, open a terminal and type “openssl s_client -connect server:port”. This will connect to the server on the specified port and print the certificate information to the terminal.
openssl s_client -servername <NAME> -connect <HOST:PORT> 2>/dev/null | openssl x509 -noout -text
Example:
echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -text
openssl s_client -servername google.com -connect google.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 16 01:37:02 2021 GMT
notAfter=Nov 8 01:37:01 2021 GMT
Let’s break down the command:
openssl s_client -servername google.com -connect google.com:443establishes a secure connection to the specified domain (google.com) on port 443 using the OpenSSL “s_client” command. It simulates a client connection to the server.-servername google.comspecifies the server name as google.com, ensuring that the proper SSL/TLS handshake is performed.
2>/dev/nullredirects any error messages (stderr) to /dev/null, effectively suppressing them. This helps keep the output clean and focused on the certificate information.- The pipe symbol (|) takes the output from the previous command and passes it as input to the next command.
openssl x509 -noout -datesis the second part of the command. It uses OpenSSL’s “x509” command to process the SSL certificate and extract specific information, in this case, the validity dates.-nooutoption ensures that only the specified information is displayed, excluding other certificate details.-datesoption instructs OpenSSL to display the certificate’s notBefore and notAfter dates, which indicate the period of validity for the certificate.
The output you provided shows the certificate’s validity dates for the domain google.com:
notBefore=Aug 16 01:37:02 2021 GMTindicates the date and time when the certificate became valid (August 16, 2021, at 01:37:02 GMT).notAfter=Nov 8 01:37:01 2021 GMTindicates the date and time when the certificate will expire (November 8, 2021, at 01:37:01 GMT).
By running this command, you can quickly retrieve and verify the expiration dates of SSL certificates for different domains.
Understanding openssl command options
The openssl is a very useful diagnostic tool for TLS and SSL servers. The openssl command-line options are as follows:
- s_client : The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.
- -servername $DOM : Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value.
- -connect $DOM:$PORT : This specifies the host ($DOM) and optional port ($PORT) to connect to.
- x509 : Run certificate display and signing utility.
- -noout : Prevents output of the encoded version of the certificate.
- -dates : Prints out the start and expiry dates of a TLS or SSL certificate.
Check SSL certificate from online Certificate Decoder
The SSL Certificate Decoder tool instantly decodes any SSL Certificate-no matter what format: PEM, DER, or PFX encoded SSL Certificates. It works quickly and accurately to strip all the information from our certificate and present it in an easy-to-understand way.
To use the certificate decoder tool, paste our certificate into the field below and let the certificate decoder do the rest.
https://comodosslstore.com/ssltools/cert-decoder.php
Example:
- Common Name : HydrantID Server CA O1
- Organization : IdenTrust
- Organization Unit : HydrantID Trusted Certificate Service
- Country : US
- Valid From : Dec 12,2019
- Valid To : Dec 12,2029
- Issuer : IdenTrust
- Serial Number : 85078034981552318268408137974808230776
Check SSL certificate from the online tool
There are many online tools to check the SSL certificate info. https://www.digicert.com/help/ is one of them.
We can input the domain name to check it. All the info in the certificate will be displayed including the expiration date. This will also display the expiration date for all the intermediate certificates.
- Enter the domain: In the provided text field, enter the domain name for which you want to check the SSL certificate. For example, enter “example.com” or any other domain you wish to examine.
- Click on the “Check” or “Submit” button to initiate the SSL certificate check. The tool will start the verification process and retrieve the certificate details for the specified domain.
- View the results: Once the check is complete, the SSL Certificate Checker will display a comprehensive report containing various aspects of the SSL certificate. This report typically includes information such as the certificate’s validity dates, issuer details, encryption strength, and any detected errors or warnings.
Example:
The certificate expires November 6, 2021 (70 days from today)
Subject howtouselinux.com Valid from 08/Aug/2021 to 06/Nov/2021
Subject R3 Valid from 04/Sep/2020 to 15/Sep/2025
Subject ISRG Root X1Valid from 20/Jan/2021 to 30/Sep/2024Check SSL certificate with curl command
You can also use the curl command to directly connect to a remote server and retrieve its SSL certificate details.
Here’s the command:
curl --cacert /path/to/ca-certificate.crt -I https://remote-server-ip-addressIn this command, you need to replace /path/to/ca-certificate.crt with the path to the CA (Certificate Authority) certificate file that you trust. This file is used to verify the SSL certificate presented by the remote server. If you don’t have a specific CA certificate, you can use the default CA certificates installed on your system.
Replace https://remote-server-ip-address with the actual IP address or hostname of the remote server you want to check. The -I option sends a HEAD request to retrieve the response headers, which include the SSL certificate information.
The output will display the SSL certificate details, such as the subject, issuer, validity dates, and other relevant information.
Let’s see an example.
% curl https://google.com -vI
* Trying 142.251.12.139:443...
* Connected to google.com (142.251.12.139) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.google.com
* start date: Jun 19 08:16:09 2023 GMT
* expire date: Sep 11 08:16:08 2023 GMT
* subjectAltName: host "google.com" matched cert's "google.com"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: HEAD]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: google.com]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x7fb7b000c600)
Note: Ensure that you have the necessary permissions to access the CA certificate file and that you trust the remote server before using this command.
Eric
Monday 9th of January 2023
Thank you for writing this post. It helps me a lot.