Verifying an SSL CA certificate

Whilst banging heads with an LDAP server recently, I needed a reliable way to verify that the SSL CA certificate I was using was the correct one for the certificate being returned by the server.

I came across this useful command after a search:

$ openssl s_client -connect ldap.example.com:636 \
    -CAfile /tmp/ca-bundle.crt -showcerts

This command will connect to the specific server and port (could be anything, in my case I’m using a secured LDAP server) and will use the specific certificate authority (/tmp/ca-bundle.crt) for verifying the certifcate returned by the server.

If the connection is established, it’s the correct/valid CA, if it doesn’t, the CA file is wrong and that’s probably why whatever you’re trying to debug is having issues connecting.

The other handy command I came across (thanks to SamatsWiki OpenSSL cheatsheet) is the following command which displays all the information, dates, stats, etc, relating to an ASCII format SSL certificate:

$ openssl x509 -in example.pem -noout -text

This is going to be a very handy command when I want to check when a certificate is going to expire without having to access the service itself to find out.

1 thought on “Verifying an SSL CA certificate

  1. Jethro Carr Post author

    Additional note, if you have a cert file and a CA cert file and want to ensure you’re using the correct one, the following will do a check against the files:

    openssl verify -verbose -CAfile cabundle.crt example.com.crt

    Reply

Leave a Reply