view the details of a CSR using opessl

openssl req -noout -text -in server.csr openssl x509 -text

Get SSL Cert info

echo "" | /usr/bin/openssl s_client -connect <HOST>:<SSLPORT> -showcerts 2>/dev/null

  • get the base64 encoded section for the cert in question (probably the first one). Save this to a file (Cert.txt)

You can display the contents of a PEM formatted certificate under Linux, using openssl:

openssl x509 -in cert.pem -text

testing supported ssl version

echo "" | /usr/bin/openssl s_client -connect <fqdn>:<port> -no_tls1 -no_ssl2 -no_ssl3 -no_tls1_1 options for above

  • ssl2/-ssl3/-tls1_2/-tls1_1/-tls1/-dtls1 – ONLY use the listed protocol
  • no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - TURN OFF the listed protocol(s)

Verify CSR

openssl req -in mycsr.csr -noout -text openssl req -text -noout -verify -in cert.csr openssl x509 -in *.cer -text -noout

Verify that the CER, KEY, & CSR all have matching MD5

For a quick check you can just compare the *.cer & the *.csr

/usr/bin/openssl x509 -noout -modulus -in *.cer | /usr/bin/openssl md5
/usr/bin/openssl rsa -noout -modulus -in *.key | /usr/bin/openssl md5
/usr/bin/openssl req -noout -modulus -in *.csr | /usr/bin/openssl md5

Get The AltDNS Names of a cert

openssl s_client -connect | openssl x509 -noout -text | grep DNS: