Saminnet-Search Article Wiki Forum Piwigo SNS Cloud vtiger Sugar
OpenSSL verify

OpenSSL verify

Before you set up your certificates, it's a good idea to test them to ensure that they are correct and will work together. Here's how you can test the validity of an SSL certificate - also see below for additional checks, especially if your key or certificate is in a different format thanツ.keyツorツ.crt:


  • For these examples, assume thatツcertificate.crtツis the certificate to be uploaded,ツcertificate.keyツis the private key for that certificate, and that the certificate chain information is found inツcertificate-chain.crt.
  • This article assumes you have OpenSSL installed in a place you can test with it.
  • For full details on the OpenSSL flags, see theツOpenSSL man page.
  1. Open a command prompt window andツcdツto the location of your existing certificate, and then verify the certificate chain by using the following command:
    openssl verify -CAfile certificate-chain.crt certificate.crt

    If the response isツOK, the check is valid.

  2. Verify that the public keys contained in the private key file and the certificate are the same:
    openssl x509 -in certificate.crt -noout -pubkey
    openssl rsa -in certificate.key -pubout

    The output of these two commands should be exactly the same.

  3. Verify that the private key and public key are a key pair that match:
    openssl rsa -noout -modulus -in certificate.key | openssl md5
    openssl x509 -noout -modulus -in certificate.crt | openssl md5

    The output of these two commands must be exactly the same.

  4. Check the dates that the certificate is valid:
    openssl x509 -noout -in certificate.crt -dates

    Ensure that the current date is between the certificate's start and end dates.

  5. Check the order of your certificates.

    The most common reason for a certificate deployment to fail is that the intermediate/chain certificates are not in the correct order. One method of checking the order via the command is:
    openssl crl2pkcs7 -nocrl -certfile $BUNDLED_CERT | openssl pkcs7 -print_certs -noout

    Your output should look similar to this:

    openssl crl2pkcs7 -nocrl -certfile $BUNDLED_CERT | openssl pkcs7 -print_certs -noout
    subject=/C=US/ST=Massachusetts/L=Boston/O=Acquia Inc/OU=Acquia Hosting/
    issuer=/C=US/O=DigiCert Inc/ SHA2 High Assurance Server CA
    subject=/C=US/O=DigiCert Inc/ SHA2 High Assurance Server CA
    issuer=/C=US/O=DigiCert Inc/ High Assurance EV Root CA
    subject=/C=US/O=DigiCert Inc/ High Assurance EV Root CA
    issuer=/C=US/O=DigiCert Inc/ High Assurance EV Root CA

    These need to conclude with the root certificate or cert most proximate to the root.

Other checks and format conversions

You may have a key or a certificate in a different format than the standard. You can readツWhat is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?ツfor more information on different key formats. Here are some checks you can use:

  • Check to see if your Test Key is in PEM format:

    openssl rsa -inform PEM -in /tmp/certificate.key
  • Check to see if your Test Certificate is in PEM format:

    openssl x509 -inform PEM -in /tmp/certificate.crt
  • View the entire contents of the certificate:

    openssl x509 -in certificate.crt -noout -text
  • Check to see if your Test Certificate is in DER format:

    openssl x509 -in certificate.crt -inform DER -text -noout
  • Convert a certificate in crt format to PEM:

    openssl x509 -in certificate.crt -out certificate.pem -outform PEM
  • Convert a DER format to PEM:

    openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM

Add comment

Articles by Date

Category Database

TweetTweet Share on LinkedInShare on LinkedIn Share on Google+Google+ Submit to RedditReddit Publish on WordPress WordPress Send emailSend email