Monday, May 11, 2009

Verify ssl certificates and keys

The following openssl commands are handy for verifying/inspecting/converting keys/certificates and inspecting CRLs:

# Check a private key
openssl rsa -in /etc/apache2/ssl/server.key -check -noout -text

# Verify this cert against this CA list
openssl verify -verbose -purpose sslserver -CAfile /etc/ssl/cacert.pem /etc/apache2/ssl/server.pem

# Display cert details
openssl x509 -in /var/cert.pem -text -noout

# What purposes does this cert have?
openssl x509 -in mycert.pem -purpose

# Connect to a server and show the certs
openssl s_client -debug -connect localhost:443 -showcerts

# Inspect a CRL
openssl crl -inform DER -in blah.crl -text -noout

# Convert DER (.crt .cert .der) to PEM
openssl x509 -inform der -in cert.cer -out cert.pem

# Inspect DER without converting
openssl x509 -inform der -in cert.cer -noout -text

No comments: