Check certificate on a server
Wednesday, 4 June 2014, 18:26 -
Knowledge,
OpenSSLPosted by Administrator
Issue the following command:
openssl s_client -CApath /etc/ssl/certs/ -connect <host.domian.tld>:993
For testing on a mail server supporting both non-encrypted and encrypted (TLS) connections using STARTTLS method:
openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect <host.domian.tld>:25
There should be stated quite at end of command output:
Verify return code: 0 (ok)
before an eventual greeting message of the server.
A bit above, you can check the certificate chain completeness:
Certificate chain
0 s:/description=3UwjnK9kRZ2wUo8e/C=CH/CN=domain1.ownspace.ch/emailAddress=hostmaster@ownspace.ch
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
The last i(ssuer) is the root cert that most client will trust.