User Tools

Site Tools


quickreference:ssl

SSL Quick Reference

Get Certificate from remote host

Ever wondered when your SMTP SSL Certificates are up for renewal? What DNS entries your certificates have? A quick and dirty way of doing it from the command line was shown at

Note: the discussions covered other things, and are well worth a 5 minute read.

This is a quick and dirty that will get the certificate (and a lot of other stuff), but the certificate is in its MIME encoded format.

printf 'quit\n' | \
openssl s_client -connect smtp.example.com:25 -starttls smtp

This basically makes a connection to smtp.example.com on port 25, issuing a starttls, then sends the quit command which logs out. The openssl command retrieves the the entire conversation, which includes the certificate, and displays it on the

You can do the same thing for other ports, like 587 for submission. If you want to test the SSL port (465), just remove the -starttls smtp from the command:

printf 'quit\n' | \
openssl s_client -connect smtp.example.com:465

If you want to test an IMAP server, you need to send it a different logout (the first line). To log out of it, you need a1 logout followed by a line return, so

printf 'a1 logout\n' | \
openssl s_client -connect mail.example.com:143 -starttls imap

Again, connecting to imaps (port 993), you just don't do the starttls

printf 'a1 logout\n' | \
openssl s_client -connect mail.example.com:143 -starttls imap

And, finally, to look at a web site certificate, use port 443, and simply a line return, but you need to put in the server name on systems which have more than one web site (virtual hosting). Do that with the -servername flag.

printf "\n" | \
openssl s_client -showcerts -servername web.example.com -connect web.example.com:443

All the above is well and good, but it would be nice to decode the certificate, wouldn't it? Well, openssl has a command that will allow you to inspect a certificate using the openssl x509 subcommand. For additional information, see man openssl-x509. We want the -noout flag to keep our dump clean (prevents the output of the encoded version of the certificate)

Dump the certificate

Turning the certificate into something a human can read is done with the command -text flag, so let's pipe the output of the previous command to that.

printf 'quit\n' | \
openssl s_client -connect smtp.example.com:25 -starttls smtp | \
openssl x509 -text -noout

If you want to find what names the certificate is valid for, they are on a line which contains the text DNS, so grepping the output of the above will give you what you need without reading the whole thing.

printf 'quit\n' | \
openssl s_client -connect smtp.example.com:25 -starttls smtp | \
openssl x509 -text -noout | \
grep DNS

Get Dates

You could use grep to find the expiration date of a certificate

printf 'quit\n' | \
openssl s_client -connect smtp.example.com:25 -starttls smtp | \
openssl x509 -text -noout | \
grep 'Not After :'

But, the openssl x509 has a special flag for that, -dates, so it is simpler to write it as

printf 'quit\n' | \
openssl s_client -connect smtp.example.com:25 -starttls smtp | \
openssl x509 -dates -noout

Other

Again, man openssl-x509 gives you more than I'm showing here under the Display Options section, but just a brief list of some interesting flags. -serial - the serial number of the certificate -subject - Subject Name -issuer - Issuer Name -startdate - beginning date of certificate (notBefore) -enddate - expiry date of certificate (notAfter)

quickreference/ssl.txt · Last modified: 2024/03/04 16:03 by rodolico