Navigating the openssl suite of subcommands is time consuming.

Here's my list of frequently used commands for easy reference:

Examining the certificates being offered by a host (replace imap/https with any service, -starttls imap can be eliminated if you are checking a service that provides tls from the start):

openssl s_client -starttls imap -showcerts -connect chavez.mayfirst.org:imap
openssl s_client -showcerts -connect chavez.mayfirst.org:https

Examine a certificate signing request:

openssl req -text -verify -noout -in /path/to/file.csr

Examine a x509 certificate:

openssl x509  -noout -text -purpose -in path/to/file.crt

RSS Atom

Certificate doesnt dump to STDOUT ... ?

Hi there,

The certificate doesnt seem to dump to STDOUT. Am i missing something ?

openssl s_client -starttls imap -showcerts -connect host.foo.bar:imaps

CONNECTED(00000003)

Thanks

-Alex

Comment by Anonymous — Sun 29 May 2011 09:53:24 PM EDT

GnuTLS

I usually prefer gnutls_cli to test SSL connexions:its STARTTLS one is universal, meaning that it can be used with any protocol, requiring no specific adaptation. It works by letting you tell when to start TLS by issuing an EOF (^D). And it supports IPv6.

In addition, but this is a bit off-topic, I also use rlwrapper, that provides readline features (line editing or recall) to text tools such as netcat or gnutls_cli.

Comment by Anonymous — Mon 30 May 2011 02:29:30 AM EDT

comment 3

I know this is way different from a command-line tool, but the Qualsys SSL Test is pretty good if you need to debug certificate chain issues and the like.

Comment by Anonymous — Mon 30 May 2011 05:51:27 AM EDT

either starttls or imaps but not both

Hi Alex,

I think you want either:

openssl s_client -starttls imap -showcerts -connect host.foo.bar:imap

openssl s_client -showcerts -connect host.foo.bar:imaps