:::: MENU ::::

Check SSL certificate of an URL with openssl

  • Jun 25 / 2017
  • 0
Linux

Check SSL certificate of an URL with openssl

You can get standard information about the certificate directly by opening a connection to a website:

openssl s_client -showcerts -connect python.org:443 </dev/null

Answer will be like:

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.python.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.python.org
   i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
-----BEGIN CERTIFICATE-----
MIIE9jCCA96gAwIBAgIQHln71qn2oJvHLSLy+zxhezANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w
DAYDVQQKEwVHYW5kaTEgMB4GA1UEAxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIw
HhcNMTcwMjAyMDAwMDAwWhcNMjAwMjAyMjM1OTU5WjBgMSEwHwYDVQQLExhEb21h
aW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsTG0dhbmRpIFN0YW5kYXJkIFdp
bGRjYXJkIFNTTDEVMBMGA1UEAwwMKi5weXRob24ub3JnMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAtQa3kv/HeLbcZb07lBvqM/etX3Cu3vLfvQ2fWQvC
46fAzdQ8eV3p/ZOkqLxaSWlgLATNDOyGBMZLsO1Tg/iEhAMoSa9XZMdax76DAPh1
fdRllDvJ6Z8Mi2BW3KiIEfXhMkFU6M8ROcrvQNh/D8GL8+s/8pgTsuWM5xqmV1ng
8fSE4mD6QdYFtw9T7DgSECLt12KDII01fJnbNWp488PDFt1UKJrPzEMUZ5/osjHE
vlbU1EKwLSKBQsFjMnYq/797VhA30P2LywWkHpZH/6ImGINR1R5legpb+NN5v8kv
9JXXqrwcs/6l63Y0PncedHn/pmbLW0cDaONC7Z/IpJkRLQIDAQABo4IBqzCCAacw
HwYDVR0jBBgwFoAUs5Cn2MmvTs1hPJ98rV1/Qf1pMOowHQYDVR0OBBYEFK1TlIvL
TxQ50kgLdmFfn2MQo8onMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBLBgNVHSAERDBCMDYGCysGAQQB
sjEBAgIaMCcwJQYIKwYBBQUHAgEWGWh0dHBzOi8vY3BzLnVzZXJ0cnVzdC5jb20w
CAYGZ4EMAQIBMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNybDBzBggrBgEFBQcBAQRnMGUwPAYI
KwYBBQUHMAKGMGh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9HYW5kaVN0YW5kYXJk
U1NMQ0EyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNv
bTAjBgNVHREEHDAaggwqLnB5dGhvbi5vcmeCCnB5dGhvbi5vcmcwDQYJKoZIhvcN
AQELBQADggEBAIdLnn5Rk/RcaFP1zBsbuDTLJpRR1lsMNPjMTJ/mR+h12A8vU76Z
IjhHDTbSS4a/yBAFFyH+83Y/ykY9/FTlVZUwWmzZJA5/RqYoQNq7EXXNAsGp8jcg
KD51NWID4c/rn02uL3+rWUQRRR0+/cYdR4jZQswrd+gRMO5KVPhHnoUIbFQFQ0yS
WwqV8em1GIKHjYtaIuPEbc36elzL14BXN37b+0lWTJDFeeG/K0YNqrYxlCIDUn+3
etbaf0wYVeg5Nl6QGu0Na1F3XTScl+SdkZXfh1e9lIr2U+Pm/yoBNDL5R/HkliAg
ZzgFJZql5yymhSQuZEc7Qe6AvcB58QGvgPo=
-----END CERTIFICATE-----
 1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIF6TCCA9GgAwIBAgIQBeTcO5Q4qzuFl8umoZhQ4zANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQw
OTEyMDAwMDAwWhcNMjQwOTExMjM1OTU5WjBfMQswCQYDVQQGEwJGUjEOMAwGA1UE
CBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4wDAYDVQQKEwVHYW5kaTEgMB4GA1UE
AxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCUBC2meZV0/9UAPPWu2JSxKXzAjwsLibmCg5duNyj1ohrP0pIL
m6jTh5RzhBCf3DXLwi2SrCG5yzv8QMHBgyHwv/j2nPqcghDA0I5O5Q1MsJFckLSk
QFEW2uSEEi0FXKEfFxkkUap66uEHG4aNAXLy59SDIzme4OFMH2sio7QQZrDtgpbX
bmq08j+1QvzdirWrui0dOnWbMdw+naxb00ENbLAb9Tr1eeohovj0M1JLJC0epJmx
bUi8uBL+cnB89/sCdfSN3tbawKAyGlLfOGsuRTg/PwSWAP2h9KK71RfWJ3wbWFmV
XooS/ZyrgT5SKEhRhWvzkbKGPym1bgNi7tYFAgMBAAGjggF1MIIBcTAfBgNVHSME
GDAWgBRTeb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQUs5Cn2MmvTs1hPJ98
rV1/Qf1pMOowDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1UdIAQbMBkwDQYLKwYBBAGy
MQECAhowCAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAWGf9
crJq13xhlhl+2UNG0SZ9yFP6ZrBrLafTqlb3OojQO3LJUP33WbKqaPWMcwO7lWUX
zi8c3ZgTopHJ7qFAbjyY1lzzsiI8Le4bpOHeICQW8owRc5E69vrOJAKHypPstLbI
FhfFcvwnQPYT/pOmnVHvPCvYd1ebjGU6NSU2t7WKY28HJ5OxYI2A25bUeo8tqxyI
yW5+1mUfr13KFj8oRtygNeX56eXVlogMT8a3d2dIhCe2H7Bo26y/d7CQuKLJHDJd
ArolQ4FCR7vY4Y8MDEZf7kYzawMUgtN+zY+vkNaOJH1AQrRqahfGlZfh8jjNp+20
J0CT33KpuMZmYzc4ZCIwojvxuch7yPspOqsactIGEk72gtQjbz7Dk+XYtsDe3CMW
1hMwt6CaDixVBgBwAc/qOR2A24j3pSC4W/0xJmmPLQphgzpHphNULB7j7UTKvGof
KA5R2d4On3XNDgOVyvnFqSot/kGkoUeuDcL5OWYzSlvhhChZbH2UF3bkRYKtcCD9
0m9jqNf6oDP6N8v3smWe2lBvP+Sn845dWDKXcCMu5/3EFZucJ48y7RetWIExKREa
m9T8bJUox04FB6b9HbwZ4ui3uRGKLXASUoWNjDNKD/yZkuBjcNqllEdjB+dYxzFf
BT02Vf6Dsuimrdfp5gJ0iHRc2jTbkNJtUQoj1iM=
-----END CERTIFICATE-----
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.python.org
issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4712 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: CA736CD734AA037795DE0BDCE046E201AD47343EB3E70F63F60BEC0E477F354E
    Session-ID-ctx:
    Master-Key: 72EC4ADFDFCC6DF2D2E7B086F39DB021891B2F5752D9DC8CFA8C86124085E6B223673C00B140553751654E030D39ADC0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1497599739
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

But this is not giving you some interesting information like the expiration date for example! To work around that, you can simply redirect the output (certificate) to openssl and ask for some specific information:

openssl s_client -showcerts -connect python.org:443 </dev/null |openssl x509 -dates -text -noout

This time, output will be:

depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.python.org
verify return:1
DONE
notBefore=Feb  2 00:00:00 2017 GMT
notAfter=Feb  2 23:59:59 2020 GMT
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1e:59:fb:d6:a9:f6:a0:9b:c7:2d:22:f2:fb:3c:61:7b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
        Validity
            Not Before: Feb  2 00:00:00 2017 GMT
            Not After : Feb  2 23:59:59 2020 GMT
        Subject: OU=Domain Control Validated, OU=Gandi Standard Wildcard SSL, CN=*.python.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b5:06:b7:92:ff:c7:78:b6:dc:65:bd:3b:94:1b:
                    ea:33:f7:ad:5f:70:ae:de:f2:df:bd:0d:9f:59:0b:
                    c2:e3:a7:c0:cd:d4:3c:79:5d:e9:fd:93:a4:a8:bc:
                    5a:49:69:60:2c:04:cd:0c:ec:86:04:c6:4b:b0:ed:
                    53:83:f8:84:84:03:28:49:af:57:64:c7:5a:c7:be:
                    83:00:f8:75:7d:d4:65:94:3b:c9:e9:9f:0c:8b:60:
                    56:dc:a8:88:11:f5:e1:32:41:54:e8:cf:11:39:ca:
                    ef:40:d8:7f:0f:c1:8b:f3:eb:3f:f2:98:13:b2:e5:
                    8c:e7:1a:a6:57:59:e0:f1:f4:84:e2:60:fa:41:d6:
                    05:b7:0f:53:ec:38:12:10:22:ed:d7:62:83:20:8d:
                    35:7c:99:db:35:6a:78:f3:c3:c3:16:dd:54:28:9a:
                    cf:cc:43:14:67:9f:e8:b2:31:c4:be:56:d4:d4:42:
                    b0:2d:22:81:42:c1:63:32:76:2a:ff:bf:7b:56:10:
                    37:d0:fd:8b:cb:05:a4:1e:96:47:ff:a2:26:18:83:
                    51:d5:1e:65:7a:0a:5b:f8:d3:79:bf:c9:2f:f4:95:
                    d7:aa:bc:1c:b3:fe:a5:eb:76:34:3e:77:1e:74:79:
                    ff:a6:66:cb:5b:47:03:68:e3:42:ed:9f:c8:a4:99:
                    11:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA

            X509v3 Subject Key Identifier:
                AD:53:94:8B:CB:4F:14:39:D2:48:0B:76:61:5F:9F:63:10:A3:CA:27
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.26
                  CPS: https://cps.usertrust.com
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl

            Authority Information Access:
                CA Issuers - URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt
                OCSP - URI:http://ocsp.usertrust.com

            X509v3 Subject Alternative Name:
                DNS:*.python.org, DNS:python.org
    Signature Algorithm: sha256WithRSAEncryption
         87:4b:9e:7e:51:93:f4:5c:68:53:f5:cc:1b:1b:b8:34:cb:26:
         94:51:d6:5b:0c:34:f8:cc:4c:9f:e6:47:e8:75:d8:0f:2f:53:
         be:99:22:38:47:0d:36:d2:4b:86:bf:c8:10:05:17:21:fe:f3:
         76:3f:ca:46:3d:fc:54:e5:55:95:30:5a:6c:d9:24:0e:7f:46:
         a6:28:40:da:bb:11:75:cd:02:c1:a9:f2:37:20:28:3e:75:35:
         62:03:e1:cf:eb:9f:4d:ae:2f:7f:ab:59:44:11:45:1d:3e:fd:
         c6:1d:47:88:d9:42:cc:2b:77:e8:11:30:ee:4a:54:f8:47:9e:
         85:08:6c:54:05:43:4c:92:5b:0a:95:f1:e9:b5:18:82:87:8d:
         8b:5a:22:e3:c4:6d:cd:fa:7a:5c:cb:d7:80:57:37:7e:db:fb:
         49:56:4c:90:c5:79:e1:bf:2b:46:0d:aa:b6:31:94:22:03:52:
         7f:b7:7a:d6:da:7f:4c:18:55:e8:39:36:5e:90:1a:ed:0d:6b:
         51:77:5d:34:9c:97:e4:9d:91:95:df:87:57:bd:94:8a:f6:53:
         e3:e6:ff:2a:01:34:32:f9:47:f1:e4:96:20:20:67:38:05:25:
         9a:a5:e7:2c:a6:85:24:2e:64:47:3b:41:ee:80:bd:c0:79:f1:
         01:af:80:fa

Comments are closed.

Question ? Contact