How can I verify SSL certificates on the command line?

  • I'm trying to validate/verify that the rsa key, ca-bundle, and certificate stored here are ok. They are not being served by a webserver. How can I verify them?

    Look at the `openssl x509` manual section.

    The OpenSSL verify manual can help you here. Also, see this page has some excellent examples.

  • Andy

    Andy Correct answer

    9 years ago

    Assuming your certificates are in PEM format, you can do:

    openssl verify cert.pem

    If your "ca-bundle" is a file containing additional intermediate certificates in PEM format:

    openssl verify -untrusted ca-bundle cert.pem

    If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs), then you can use -CApath or -CAfile to specify the CA.

    Warning, the openssl verify command is more permissive than you might expect! By default, in addition to checking the given CAfile, it also checks for any matching CAs in the system's certs directory e.g. /etc/ssl/certs. To prevent this behavior and make sure you're checking against your particular CA cert given by CAfile, you must also pass a -CApath option with a non-existant directory, e.g.: openssl verify -verbose -CApath nosuchdir -CAfile cacert.pem server.crt

    One further caveat: If you use `-CApath nosuchdir` then the combination of server.crt and cacert.pem must include the root CA; if openssl can only work up to an intermediate CA with those files then it will complain.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM