Saminnet-Search Article Wiki Forum Piwigo SNS Cloud vtiger Sugar
OpenSSL verify

  • Data-Articles
    • Wine-4 in CentOS-7 (48) Tue02,10:10am

      Wineis an open source and free application for Linux that enables users to run any windows based application on Unix/Linux like operating system. Wine team keeps releasing their versions in every two weeks. Finally, the Wine team proudly announced the stable release ofWine 4.0and made available for download in source and binary packages for various distributions such asLinux,WindowsandMac. Thi…


OpenSSL verify

Before you set up your certificates, it's a good idea to test them to ensure that they are correct and will work together. Here's how you can test the validity of an SSL certificate - also see below for additional checks, especially if your key or certificate is in a different format thanツ.keyツorツ.crt:


  • For these examples, assume thatツcertificate.crtツis the certificate to be uploaded,ツcertificate.keyツis the private key for that certificate, and that the certificate chain information is found inツcertificate-chain.crt.
  • This article assumes you have OpenSSL installed in a place you can test with it.
  • For full details on the OpenSSL flags, see theツOpenSSL man page.
  1. Open a command prompt window andツcdツto the location of your existing certificate, and then verify the certificate chain by using the following command:
    openssl verify -CAfile certificate-chain.crt certificate.crt

    If the response isツOK, the check is valid.

  2. Verify that the public keys contained in the private key file and the certificate are the same:
    openssl x509 -in certificate.crt -noout -pubkey
    openssl rsa -in certificate.key -pubout

    The output of these two commands should be exactly the same.

  3. Verify that the private key and public key are a key pair that match:
    openssl rsa -noout -modulus -in certificate.key | openssl md5
    openssl x509 -noout -modulus -in certificate.crt | openssl md5

    The output of these two commands must be exactly the same.

  4. Check the dates that the certificate is valid:
    openssl x509 -noout -in certificate.crt -dates

    Ensure that the current date is between the certificate's start and end dates.

  5. Check the order of your certificates.

    The most common reason for a certificate deployment to fail is that the intermediate/chain certificates are not in the correct order. One method of checking the order via the command is:
    openssl crl2pkcs7 -nocrl -certfile $BUNDLED_CERT | openssl pkcs7 -print_certs -noout

    Your output should look similar to this:

    openssl crl2pkcs7 -nocrl -certfile $BUNDLED_CERT | openssl pkcs7 -print_certs -noout
    subject=/C=US/ST=Massachusetts/L=Boston/O=Acquia Inc/OU=Acquia Hosting/
    issuer=/C=US/O=DigiCert Inc/ SHA2 High Assurance Server CA
    subject=/C=US/O=DigiCert Inc/ SHA2 High Assurance Server CA
    issuer=/C=US/O=DigiCert Inc/ High Assurance EV Root CA
    subject=/C=US/O=DigiCert Inc/ High Assurance EV Root CA
    issuer=/C=US/O=DigiCert Inc/ High Assurance EV Root CA

    These need to conclude with the root certificate or cert most proximate to the root.

Other checks and format conversions

You may have a key or a certificate in a different format than the standard. You can readツWhat is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?ツfor more information on different key formats. Here are some checks you can use:

  • Check to see if your Test Key is in PEM format:

    openssl rsa -inform PEM -in /tmp/certificate.key
  • Check to see if your Test Certificate is in PEM format:

    openssl x509 -inform PEM -in /tmp/certificate.crt
  • View the entire contents of the certificate:

    openssl x509 -in certificate.crt -noout -text
  • Check to see if your Test Certificate is in DER format:

    openssl x509 -in certificate.crt -inform DER -text -noout
  • Convert a certificate in crt format to PEM:

    openssl x509 -in certificate.crt -out certificate.pem -outform PEM
  • Convert a DER format to PEM:

    openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM

Add comment

Articles by Date

TweetTweet Share on LinkedInShare on LinkedIn Share on Google+Google+ Submit to RedditReddit Publish on WordPress WordPress Send emailSend email