Verify Certificate With OpenSSL

The short answer

To check the expiration date of a PEM certificate and thus verify that it is still valid, you can use the following openssl x509 command:

$ openssl x509 -in <cert>  -noout -enddate

Which will write to the standard output the notAfter field of the certificate.

For example:

$ openssl x509 -in mycert.cer -noout -enddate
notAfter=Sep 19 23:59:59 2023 GMT

You can learn more about generating self-signed certificates with our article on how to generate a certificate signing request.

Easily retrieve this command using Warp’s AI Command Search

If you’re using Warp as your terminal, you can easily retrieve this command using the Warp AI Command Search feature:

‍

Entering check certificate expiration openssl in the AI Command Search will prompt an openssl command that can then quickly be inserted into your shell by doing CMD+ENTER.

Verifying a file certificate

To decode and verify an entire certificate, you can use the following command:

$ openssl x509 -in <cert>  -noout -text

Where:

• cert is the path to the file certificate.
• The -noout flag is used to prevent the output of the encoded version of the request.
• The -text flag is used to output the certificate in text form, including its public key, signature algorithms, etc.

For example:

$ openssl x509 -in /etc/nginx/ssl/cert.pem -noout -text

Verifying a website’s certificate

To verify the certificate of a website, you can use the following openssl s\_client command:

$ openssl s_client -connect <domain>:443

Which will retrieve the website's certificate identified by domain (e.g. example.com) and output its details in the terminal window, including its chain, issuer, and other information.

For example:

$ openssl s_client -connect google.com:443

Once downloaded, you can close the client connection by pressing CTRL + c.

Alternatively, you can use the pipe operator combined with the openssl x509 command to directly decode and verify the certificate as follows:

$ openssl s_client -connect <domain>:443 | openssl x509 -noout -text

Note that to save the certificate into a file on your local machine for future processing, you can use the output redirection operator as follows:

$ openssl s_client -connect <domain>:443 > cert.pem

Verifying a certificate and a private key match

To verify that a certificate and a private key match, you can compare their modulus by first extracting the modulus of the certificate using the following command:

$ openssl x509 -noout -modulus -in <certificate>> cert_mod

Then, by extracting the modulus of the private key using the following command:

$ openssl rsa -noout -modulus -in <private_key> > pkey_mod

Finally, by comparing these two files using the diff command:

$ diff cert_mod pkey_mod

Which will result in no output if the files are identical.

Verifying a certificate chain

A certificate chain is a series of certificates that are linked together to establish trust and verify the authenticity of a digital certificate.

To verify a certificate chain, you can use the openssl verify command as follows:

$ openssl verify -untrusted <intermediary-certificate> <certificate>

Where:

• The -untrusted flag is used to specify the file path of the intermediate certificate.