quickreference:ssl
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
quickreference:ssl [2019/08/13 02:20] – created rodolico | quickreference:ssl [2024/03/04 16:03] (current) – rodolico | ||
---|---|---|---|
Line 2: | Line 2: | ||
- | ===== Determine expiration date of ssl cert ===== | + | ===== Get Certificate from remote host ===== |
+ | |||
+ | Ever wondered when your SMTP SSL Certificates are up for renewal? What DNS entries your certificates have? A quick and dirty way of doing it from the command line was shown at | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | Note: the discussions covered other things, and are well worth a 5 minute read. | ||
+ | |||
+ | This is a quick and dirty that will get the certificate (and a lot of other stuff), but the certificate is in its MIME encoded format. | ||
<code bash> | <code bash> | ||
- | openssl s_client | + | printf ' |
+ | openssl s_client -connect | ||
</ | </ | ||
- | SERVER - Name to check. May be an alias for HOST, or may be the same | + | This basically makes a connection |
- | HOST - Actually who to contact. May be IP, or an DNS name. May be same as SERVER | + | |
- | PORT - Port to connect to (ie, 465 for smtp over SSL, 443 for https) | + | |
- | Return something | + | You can do the same thing for other ports, |
- | < | + | |
- | notBefore=Jul 20 06:54:48 2019 GMT | + | < |
- | notAfter=Oct 18 06:54:48 2019 GMT | + | printf ' |
+ | openssl s_client -connect smtp.example.com:465 | ||
</ | </ | ||
+ | |||
+ | If you want to test an IMAP server, you need to send it a different logout (the first line). To log out of it, you need //a1 logout// followed by a line return, so | ||
+ | |||
+ | <code bash> | ||
+ | printf 'a1 logout\n' | ||
+ | openssl s_client -connect mail.example.com: | ||
+ | </ | ||
+ | |||
+ | Again, connecting to imaps (port 993), you just don't do the starttls | ||
+ | |||
+ | <code bash> | ||
+ | printf 'a1 logout\n' | ||
+ | openssl s_client -connect mail.example.com: | ||
+ | </ | ||
+ | |||
+ | And, finally, to look at a web site certificate, | ||
+ | <code bash> | ||
+ | printf " | ||
+ | openssl s_client -showcerts -servername web.example.com -connect web.example.com: | ||
+ | </ | ||
+ | |||
+ | All the above is well and good, but it would be nice to decode the certificate, | ||
+ | |||
+ | ==== Dump the certificate ==== | ||
+ | |||
+ | Turning the certificate into something a human can read is done with the command //-text// flag, so let's pipe the output of the previous command to that. | ||
+ | |||
+ | <code bash> | ||
+ | printf ' | ||
+ | openssl s_client -connect smtp.example.com: | ||
+ | openssl x509 -text -noout | ||
+ | </ | ||
+ | |||
+ | If you want to find what names the certificate is valid for, they are on a line which contains the text DNS, so grepping the output of the above will give you what you need without reading the whole thing. | ||
+ | |||
+ | <code bash> | ||
+ | printf ' | ||
+ | openssl s_client -connect smtp.example.com: | ||
+ | openssl x509 -text -noout | \ | ||
+ | grep DNS | ||
+ | </ | ||
+ | |||
+ | ==== Get Dates ==== | ||
+ | |||
+ | You could use //grep// to find the expiration date of a certificate | ||
+ | |||
+ | <code bash> | ||
+ | printf ' | ||
+ | openssl s_client -connect smtp.example.com: | ||
+ | openssl x509 -text -noout | \ | ||
+ | grep 'Not After :' | ||
+ | </ | ||
+ | |||
+ | But, the openssl x509 has a special flag for that, //-dates//, so it is simpler to write it as | ||
+ | |||
+ | <code bash> | ||
+ | printf ' | ||
+ | openssl s_client -connect smtp.example.com: | ||
+ | openssl x509 -dates -noout | ||
+ | </ | ||
+ | |||
+ | ==== Other ==== | ||
+ | |||
+ | Again, //man openssl-x509// | ||
+ | -serial - the serial number of the certificate | ||
+ | -subject - Subject Name | ||
+ | -issuer - Issuer Name | ||
+ | -startdate - beginning date of certificate (notBefore) | ||
+ | -enddate - expiry date of certificate (notAfter) | ||
+ | |||
+ | ===== Links ===== | ||
+ | |||
+ | * https:// | ||
+ | * https:// | ||
+ |
quickreference/ssl.1565680839.txt.gz · Last modified: 2019/08/13 02:20 by rodolico