howtouselinux

Check SSL Certificate with OpenSSL

Table of Contents

OpenSSL is an open-source command-line tool that is commonly used to generate private keys, create CSRs, install our SSL/TLS certificate, and identify certificate information. This quick reference can help us understand the most common OpenSSL commands and how to use them.

How to get an SSL Certificate

  • generate a key pair
  • use this key pair to generate a certificate signing request (CSR) that contains the public key and domain name of our website
  • upload the request to a certificate authority or generate a self-signed certificate
  • download the certificate and install it on our web server along with the key pair

 

If you need a free SSL certificate for your website, Elementor Cloud Website is a great option. They offer fast speeds, good uptime, and excellent customer support. It is an end-to-end solution gives you everything you need in one place for your website. Web Hosting on Google Cloud + SSL certificate + WordPress + Website Builder + Templates.

We recommend using Elementor Cloud Website. It is very easy to start. You can get your website online in minutes. The price is $99 for one year. Plus, they offer a 30-day money-back guarantee, so you can try it out with no risk.

Elementor Cloud Website Features

  • Built-in hosting from Google Cloud Platform
  • Secure CDN by Cloudflare
  • Free SSL certification by Cloudflare
  • 20 GB storage
  • 100 GB bandwidth
  • 100K monthly visits
  • Free custom domain connection
  • Free subdomain under elementor.cloud
  • Automatic backups once every 24 hours
  • Manual backups from My Elementor account
  • You also get all the benefits of Elementor Pro, including the drag & drop editor, all Pro widgets, features, kits and templates. PLUS, you get support for everything, from the Editor to Hosting, all in one place.

Why should we choose a paid SSL certificate?

Type of SSL Certificate
Free SSL certificates only come with a Domain Validation (DV) option. DV certificates are used only for providing a basic level of authentication. Usually, they are used for platforms such as small websites and blogs. Free SSL certificates don’t have the provision for Organization Validation (OV) and Extended Validation (EV) certificates. Whereas the paid SSL certificates do come with OV & EV options, which are absolutely necessary for protecting business websites.

Level of Validation
When it comes to verifying a website owner’s business details before issuing a free certificate, CA does not validate anything apart from the identity of the website owner. While in the case of paid SSL certificates, verification of the identity of the website owner is a must before issuing the certificate to the site owner and in the case of OV & EV certificates, in-depth verification of the business is carried out by the certificate authority (CA).

Validity Period
Free SSL certificates provided by popular CAs are issued for 30-90 days. As a result, the website proprietor must renew the certificate every 30-90 days. In the case of paid certificates, they can be issued for a period of 1-2 years.

Support
The certificate authorities (CAs) and resellers of paid certificates are committed to providing round the clock support to their customers. Those customers get to choose whichever type of support they want, be whether its chat, email or call. On the other hand, free CA’s don’t assist their customers with such remarkable support because they can’t afford to. If you need help with an issue regarding free SSL, you’re going to have sifted through a bunch of old forum posts to find it.

how to choose an SSL certificate

When choosing an SSL certificate, it is important to consider the type of encryption that is used. RSA is more widely used, but ECDSA is becoming increasingly popular due to its security features.

Another important factor to consider is the length of the certificate’s signature. The longer the signature, the more secure the connection will be. However, longer signatures can also lead to slower performance.

Finally, you should also consider the price of the SSL certificate. In most cases, you can find a good SSL certificate for a reasonable price.  comodosslstore is a great choice to get an SSL certificate. Comodo is a world-class Certificate Authority with a long history innovation within the Certificate Authority space. They actually invented the CA/B Forum-the governing body for all Certificate Authorities and Browsers with regard to SSL.

Generate Private Key and CSR

We can use the following two commands to generate private key and CSR.

  • openssl genrsa -out privateKey.key 2048
  • openssl req -new -key privateKey.key -out CSR.csr

Then we need to input the following info to generate CSR.

  • Country Name: 2-digit country code where our organization is legally located.
  • State/Province: Write the full name of the state where the organization is legally located.
  • City: Write the full name of the city where our organization is legally located.
  • Organization Name: Write the legal name of our organization.
  • Organization Unit: Name of the department
  • Common Name: Fully Qualified Domain Name

Generate Private key and CSR with one command

We can also use the following command to generate CSR and private key in a single shot.

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key -subj “/C=US/ST=Florida/L=Saint Petersburg/O=Your Company, Inc./OU=IT/CN=yourdomain.com”

 

Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

Purpose of CSR file Key file and certificate file

We should use the CSR file to request our SSL certificate from a Certificate Authority. Make sure we copy the entire text.

Certificate.crt and intermediate.crt should be concatenated into a certificate file bundle and stored on the server. privateKey.key should also be stored on the server.

root.crt should be stored on the client so the client can verify that the server’s leaf certificate was signed by a chain of certificates linked to its trusted root certificate.

Check SSL certificate with OpenSSL Command

  • Check Private key info: openssl rsa -text -in privateKey.key -noout
  • Check CSR info: openssl req -text -in CSR.csr -noout
  • View SSL certificate info: openssl x509 -text -in certificate.crt -noout

Example:

openssl x509 -in hydssl.cer -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:01:6e:fb:0a:20:5c:fa:eb:e1:8f:71:d7:3a:bb:78
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA
Validity
Not Before: Dec 12 16:56:15 2019 GMT
Not After : Dec 12 16:56:15 2029 GMT
Subject: C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ea:1b:99:6c:35:56:30:68:fb:5d:b1:59:41:69:

Check who has issued the SSL certificate:

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let’s Encrypt/CN=R3

Check whom the SSL certificate is issued to:

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.howtouselinux.com

Check for what dates the SSL certificate is valid:

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT

Show the all above information about the SSL certificate

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let’s Encrypt/CN=R3
subject= /CN=howtouselinux.com
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT

Show the SHA1 fingerprint of the SSL certificate:

$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=52:DA:6A:D5:81:A8:6C:20:6A:16:EE:2E:A2:19:7A:C6:E7:A2:3E:87

Extract all information from the SSL certificate (decoded)

$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:86:f4:63:3d:34:50:a8:47:cc:f7:99:10:1f:79:1c:21:c8
Signature Algorithm: sha256WithRSAEncryption
[…]

Show the SSL certificate itself (encoded):

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509
—–BEGIN CERTIFICATE—–
MIIFGDCCBACgAwIBAgISA4b0Yz00UKhHzPeZEB95HCHIMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMTgxMDU1MDBaFw0x
[…]

Check SSL Certificate expiration date

  • openssl s_client -servername SERVER_NAME -connect SERVER_NAME:PORT| openssl x509 -noout -dates
  • echo | openssl s_client -servername SERVER_NAME -connect SERVER_NAME:PORT | openssl x509 -noout -dates
  • openssl x509 -enddate -noout -in /path/to/my/my.pem

Example:

openssl x509 -dates -noout -in hydssl.cer
notBefore=Dec 12 16:56:15 2019 GMT
notAfter=Dec 12 16:56:15 2029 GMT

 

Verify the Keys Match

To verify the public and private keys match, extract the public key from each file and generate a hash output for it. All three files should share the same public key and the same hash value.

Use the following commands to generate a hash of each file’s public key:

  • openssl pkey -pubout -in privateKey.key | openssl sha256
  • openssl req -pubkey -in CSR.csr -noout | openssl sha256
  • openssl x509 -pubkey -in certificate.crt -noout | openssl sha256

Related:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

If you meet any issues with Linux, record them with Loom and send the link to us here. We will reply ASAP.

Load WordPress Sites in as fast as 37ms!