Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
quickreference:ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
quickreference:ssl [2019/08/13 02:20] – created rodolicoquickreference:ssl [2024/03/04 16:03] (current) rodolico
Line 2: Line 2:
  
  
-===== Determine expiration date of ssl cert =====+===== Get Certificate from remote host ===== 
 + 
 +Ever wondered when your SMTP SSL Certificates are up for renewal? What DNS entries your certificates have? A quick and dirty way of doing it from the command line was shown at 
 +  * https://serverfault.com/questions/131627/how-to-inspect-remote-smtp-servers-tls-certificate#131628 
 +  * https://stackoverflow.com/questions/13127352/how-to-check-subject-alternative-names-for-a-ssl-tls-certificate 
 + 
 +Note: the discussions covered other things, and are well worth a 5 minute read. 
 + 
 +This is a quick and dirty that will get the certificate (and a lot of other stuff), but the certificate is in its MIME encoded format.
  
 <code bash> <code bash>
-openssl s_client -servername SERVER -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates+printf 'quit\n' | \ 
 +openssl s_client -connect smtp.example.com:25 -starttls smtp
 </code> </code>
  
-SERVER - Name to checkMay be an alias for HOSTor may be the same +This basically makes a connection to smtp.example.com on port 25issuing a starttls, then sends the //quit// command which logs outThe openssl command retrieves the  the entire conversationwhich includes the certificateand displays it on the 
-HOST   - Actually who to contactMay be IPor an DNS name. May be same as SERVER +
-PORT   - Port to connect to (ie465 for smtp over SSL, 443 for https)+
  
-Return something like +You can do the same thing for other ports, like 587 for submission. If you want to test the SSL port (465), just remove the //-starttls smtp// from the command: 
-<code> + 
-notBefore=Jul 20 06:54:48 2019 GMT +<code bash
-notAfter=Oct 18 06:54:48 2019 GMT+printf 'quit\n' | \ 
 +openssl s_client -connect smtp.example.com:465
 </code> </code>
 +
 +If you want to test an IMAP server, you need to send it a different logout (the first line). To log out of it, you need //a1 logout// followed by a line return, so
 +
 +<code bash>
 +printf 'a1 logout\n' | \
 +openssl s_client -connect mail.example.com:143 -starttls imap
 +</code>
 +
 +Again, connecting to imaps (port 993), you just don't do the starttls
 +
 +<code bash>
 +printf 'a1 logout\n' | \
 +openssl s_client -connect mail.example.com:143 -starttls imap
 +</code>
 +
 +And, finally, to look at a web site certificate, use port 443, and simply a line return, but you need to put in the server name on systems which have more than one web site (virtual hosting). Do that with the //-servername// flag.
 +<code bash>
 +printf "\n" | \
 +openssl s_client -showcerts -servername web.example.com -connect web.example.com:443
 +</code>
 +
 +All the above is well and good, but it would be nice to decode the certificate, wouldn't it? Well, openssl has a command that will allow you to inspect a certificate using the //openssl x509// subcommand. For additional information, see //man openssl-x509//. We want the -noout flag to keep our dump clean (prevents the output of the encoded version of the certificate)
 +
 +==== Dump the certificate ====
 +
 +Turning the certificate into something a human can read is done with the command //-text// flag, so let's pipe the output of the previous command to that.
 +
 +<code bash>
 +printf 'quit\n' | \
 +openssl s_client -connect smtp.example.com:25 -starttls smtp | \
 +openssl x509 -text -noout
 +</code>
 +
 +If you want to find what names the certificate is valid for, they are on a line which contains the text DNS, so grepping the output of the above will give you what you need without reading the whole thing.
 +
 +<code bash>
 +printf 'quit\n' | \
 +openssl s_client -connect smtp.example.com:25 -starttls smtp | \
 +openssl x509 -text -noout | \
 +grep DNS
 +</code>
 +
 +==== Get Dates ====
 +
 +You could use //grep// to find the expiration date of a certificate
 +
 +<code bash>
 +printf 'quit\n' | \
 +openssl s_client -connect smtp.example.com:25 -starttls smtp | \
 +openssl x509 -text -noout | \
 +grep 'Not After :'
 +</code>
 +
 +But, the openssl x509 has a special flag for that, //-dates//, so it is simpler to write it as
 +
 +<code bash>
 +printf 'quit\n' | \
 +openssl s_client -connect smtp.example.com:25 -starttls smtp | \
 +openssl x509 -dates -noout
 +</code>
 +
 +==== Other ====
 +
 +Again, //man openssl-x509// gives you more than I'm showing here under the Display Options section, but just a brief list of some interesting flags.
 +-serial - the serial number of the certificate
 +-subject - Subject Name
 +-issuer - Issuer Name
 +-startdate - beginning date of certificate (notBefore)
 +-enddate - expiry date of certificate (notAfter)
 +
 +===== Links =====
 +
 +  * https://serverfault.com/questions/131627/how-to-inspect-remote-smtp-servers-tls-certificate#131628
 +  * https://stackoverflow.com/questions/13127352/how-to-check-subject-alternative-names-for-a-ssl-tls-certificate
 +
quickreference/ssl.1565680839.txt.gz · Last modified: 2019/08/13 02:20 by rodolico