Is there a way to check if the SSL digital certificate is valid without installing on the web server?

StackOverflow https://stackoverflow.com/questions/19089644

Frage

Are there any tools or mechanism(s) which can help validate a CA issued SSL certificate before installing it on the target web server?

War es hilfreich?

Lösung

Yes, you can use openssl to create a test server for your certificate with the s_server command. This creates a minimal SSL/TLS server that responds to HTTP requests on port 8080:

openssl s_server -accept 8080 -www -cert yourcert.pem -key yourcert.key -CAfile chain.pem

yourcert.pem is the X.509 certificate, yourcert.key is your private key and chain.pem contains the chain of trust between your certificate and a root certificate. Your CA should have given you yourcert.pem and chain.pem.

Then use openssl's s_client to make a connection:

openssl s_client -connect localhost:8080 -showcerts -CAfile rootca.pem

or on Linux:

openssl s_client -connect localhost:8080 -showcerts -CApath /etc/ssl/certs

Caution: That command doesn't verify that the host name matches the CN (common name) or SAN (subjectAltName) of your certificate. OpenSSL doesn't have a routine for the task yet. It's going to be added in OpenSSL 1.1.

Andere Tipps

The best and easiest way to validate the SSL issued by your CA is to decode it.

Here is a helpful link the will help you do that: http://www.sslshopper.com/csr-decoder.html

Hope this helps!

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top