Navigating the openssl suite of subcommands is time consuming.

Here's my list of frequently used commands for easy reference:

Examining the certificates being offered by a host (replace imap/https with any service, -starttls imap can be eliminated if you are checking a service that provides tls from the start):

openssl s_client -starttls imap -showcerts -connect chavez.mayfirst.org:imap
openssl s_client -showcerts -connect chavez.mayfirst.org:https

Examine a certificate signing request:

openssl req -text -verify -noout -in /path/to/file.csr 

Examine a x509 certificate:

openssl x509  -noout -text -purpose -in path/to/file.crt

Hi there,

The certificate doesnt seem to dump to STDOUT. Am i missing something ?

openssl s_client -starttls imap -showcerts -connect host.foo.bar:imaps

CONNECTED(00000003)

Thanks

-Alex

Comment by Anonymous Sun 29 May 2011 09:53:24 PM EDT

I usually prefer gnutls_cli to test SSL connexions:its STARTTLS one is universal, meaning that it can be used with any protocol, requiring no specific adaptation. It works by letting you tell when to start TLS by issuing an EOF (^D). And it supports IPv6.

In addition, but this is a bit off-topic, I also use rlwrapper, that provides readline features (line editing or recall) to text tools such as netcat or gnutls_cli.

Comment by Anonymous Mon 30 May 2011 02:29:30 AM EDT
I know this is way different from a command-line tool, but the Qualsys SSL Test is pretty good if you need to debug certificate chain issues and the like.
Comment by Anonymous Mon 30 May 2011 05:51:27 AM EDT

Hi Alex,

I think you want either:

openssl s_client -starttls imap -showcerts -connect host.foo.bar:imap

Or

openssl s_client -showcerts -connect host.foo.bar:imaps
Comment by jamie [id.mayfirst.org] Tue 31 May 2011 10:01:12 AM EDT
GNUTLS also has the benefit of not being under a terrible license.
Comment by Anonymous Sat 04 Jun 2011 10:16:09 AM EDT