User Tools

Site Tools


quickreference:unix

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
quickreference:unix [2023/10/19 17:32] – [Rename Server] rodolicoquickreference:unix [2024/03/04 15:54] (current) rodolico
Line 71: Line 71:
 </code> </code>
  
-==== Check SSL Cert Expiration Date ==== 
  
-Ever wondered when your SMTP SSL Certificates are up for renewal? What DNS entries your certificates have? A quick and dirty way of doing it from the command line was shown at [https://serverfault.com/questions/131627/how-to-inspect-remote-smtp-servers-tls-certificate#131628] and [https://stackoverflow.com/questions/13127352/how-to-check-subject-alternative-names-for-a-ssl-tls-certificate] 
- 
-Note: the discussions covered other things, and are well worth a 5 minute read. 
- 
-This is a quick and dirty that will get the certificate (and a lot of other stuff), but the certificate is in its MIME encoded format. 
- 
-<code bash> 
-printf 'quit\n' | \ 
-openssl s_client -connect smtp.example.com:25 -starttls smtp 
-</code> 
- 
-This basically makes a connection to smtp.example.com on port 25, issuing a starttls, then sends the //quit// command which logs out. The openssl command retrieves the  the entire conversation, which includes the certificate, and displays it on the  
- 
-You can do the same thing for other ports, like 587 for submission. If you want to test the SSL port (465), just remove the //-starttls smtp// from the command: 
- 
-<code bash> 
-printf 'quit\n' | \ 
-openssl s_client -connect smtp.example.com:465 
-</code> 
- 
-If you want to test an IMAP server, you need to send it a different logout (the first line). To log out of it, you need //a1 logout// followed by a line return, so 
- 
-<code bash> 
-printf 'a1 logout\n' | \ 
-openssl s_client -connect mail.example.com:143 -starttls imap 
-</code> 
- 
-Again, connecting to imaps (port 993), you just don't do the starttls 
- 
-<code bash> 
-printf 'a1 logout\n' | \ 
-openssl s_client -connect mail.example.com:143 -starttls imap 
-</code> 
- 
-And, finally, to look at a web site certificate, use port 443, and simply a line return, but you need to put in the server name on systems which have more than one web site (virtual hosting). Do that with the //-servername// flag. 
-<code bash> 
-printf "\n" | \ 
-openssl s_client -showcerts -servername web.example.com -connect web.example.com:443 
-</code> 
- 
-All the above is well and good, but it would be nice to decode the certificate, wouldn't it? Well, openssl has a command that will allow you to inspect a certificate using the //openssl x509// subcommand. For additional information, see //man openssl-x509//. We want the -noout flag to keep our dump clean (prevents the output of the encoded version of the certificate) 
- 
-=== Dump the certificate === 
- 
-Turning the certificate into something a human can read is done with the command //-text// flag, so let's pipe the output of the previous command to that. 
- 
-<code bash> 
-printf 'quit\n' | \ 
-openssl s_client -connect smtp.example.com:25 -starttls smtp | \ 
-openssl x509 -text -noout 
-</code> 
- 
-If you want to find what names the certificate is valid for, they are on a line which contains the text DNS, so grepping the output of the above will give you what you need without reading the whole thing. 
- 
-<code bash> 
-printf 'quit\n' | \ 
-openssl s_client -connect smtp.example.com:25 -starttls smtp | \ 
-openssl x509 -text -noout | \ 
-grep DNS 
-</code> 
- 
-=== Get Dates === 
- 
-You could use //grep// to find the expiration date of a certificate 
- 
-<code bash> 
-printf 'quit\n' | \ 
-openssl s_client -connect smtp.example.com:25 -starttls smtp | \ 
-openssl x509 -text -noout | \ 
-grep 'Not After :' 
-</code> 
- 
-But, the openssl x509 has a special flag for that, //-dates//, so it is simpler to write it as 
- 
-<code bash> 
-printf 'quit\n' | \ 
-openssl s_client -connect smtp.example.com:25 -starttls smtp | \ 
-openssl x509 -dates -noout 
-</code> 
- 
-=== Other === 
- 
-Again, //man openssl-x509// gives you more than I'm showing here under the Display Options section, but just a brief list of some interesting flags. 
--serial - the serial number of the certificate 
--subject - Subject Name 
--issuer - Issuer Name 
--startdate - beginning date of certificate (notBefore) 
--enddate - expiry date of certificate (notAfter) 
 ==== Rename Server ==== ==== Rename Server ====
  
quickreference/unix.txt · Last modified: 2024/03/04 15:54 by rodolico