In general, in the commands below, no errors being output means there
are no problems with file formats, connections, handshakes, etc. Seeing
OK is definitely a good thing.
Note that any pipe to awk/grep/sed/etc. below can be removed to yield additional information you might find useful!
Verify that pubkey.crt is in PEM format.
openssl x509 -in pubkey.crt -nooutPrint information about pubkey.crt.
openssl x509 -in ~/pubkey.pem -textVerify that the signing CA chain rootCA.crt signed the
public key certificate pubkey.crt.
openssl verify -verbose -CAfile rootCA.crt pubkey.crtPrint each certificate in the certificate chain
chain.crt successively in PEM format.
openssl crl2pkcs7 -nocrl -certfile chain.crt \
| openssl pkcs7 -print_certs -text \
| awk '/-----BEGIN CERTIFICATE-----/ { x = 1; } x { print $0; } /-----END CERTIFICATE-----/ { x = 0; }'Print the issuer information and fingerprint of each certificate in
the chain chain.crt.
openssl crl2pkcs7 -nocrl -certfile chain.crt \
| openssl pkcs7 -print_certs -text \
| grep -A 1 '\(Serial\|Issuer:\)' \
| grep -v '\(Valid\|^--\)' \
| sed -E -e 's/^[[:space:]]+//' \
| awk '/^Serial/ { printf "\n"; } { print $0; }'; echoSee if a TLS handshake to a given domain succeeds.
echo | openssl s_client -connect facebook.com:443 | grep Verification