Examine SSL certificate on the command line

This is more for my documentation than anyone elses, but you might find it useful.

To examine an SSL certificate (for use on a secured web server) from the commandline, use this command:

openssl x509 -in filename.crt -noout -text

  • Greg

    Another useful trick — use these to confirm you have the right key and cert file pair:

    openssl x509 -noout -text -in certfile -modulus |

    openssl rsa -noout -text -in keyfile -modulus | md5

    | md5

    openssl rsa -noout -text -in keyfile -modulus | md5

    If the md5's match, you're good to go.

  • augmentedfourth

    Interesting… thanks! I always just check by loading the site in Firefox, but that's way more efficient.

  • Ryan Kovar

    Also useful for maintenance to throw a nagois check against it… I think check_http -C %how long of a warning you want before the cert expires%

  • Matt


    Wow, nice! That's a great trick. Thanks for the comment!

  • Woah this blog is excellent i like studying your articles. Stay up the good work! You know, lots of persons are searching round for this info, you can aid them greatly.

  • Ronald

    Tip on Greg’s statement:

    In order to get a good modulus on checking the .crt and the .key files, leave off the “-text” option.
    Additionally, openssl can be used to md5 the modulus too:

    openssl x509 -noout -in server.crt -modulus | openssl md5
    openssl rsa -noout -in server.key -modulus | openssl md5