TLS (Transport Layer Security) was previously known as SSL.

• https://curl.haxx.se/docs/sslcerts.html
• Difference between self-signed CA and self-signed certificate

Get server certificates:

echo -n | openssl s_client -connect <HOST>:443 -showcerts

Save server certificate (1st in the chain) to a file (PEM/DER). Note the other certificates in the chain are ignored:

# PEM
echo -n | openssl s_client -connect <HOST>:443 -showcerts | openssl x509 -out cert.pem​
# DER
echo -n | openssl s_client -connect <HOST>:443 -showcerts | openssl x509 -out cert.der -outform der

Show certificate information:

# PEM
openssl x509 -in cert.pem -text -noout
# DER
openssl x509 -in cert.der -text -noout -inform DER

Certificate fingerprints:

openssl x509 -in cert.pem -noout -fingerprint -sha256
openssl x509 -in cert.pem -noout -fingerprint -sha1
openssl x509 -in cert.pem -noout -fingerprint -md5

Convert DER to PEM:

openssl x509 -inform der -in cert.der -out cert.pem

Check server SSL configuration with openssl:

# error example
$ echo -n | openssl s_client -connect <HOST>:443 -tls1_1 > /dev/null; echo $?
140213208319816:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
1

# ok example
$ echo -n | openssl s_client -connect <HOST>:443 -tls1_1 > /dev/null; echo $?
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA 2018
verify return:1
depth=0 CN = *.example.com
verify return:1
DONE
0

Note -tls1_1, -tls1_2 options for different TLS versions.

Check SMTP server like smtp.office365.com using STARTTLS:

$ echo -n | openssl s_client -connect smtp.office365.com:587 -starttls smtp

PKCS#12 is an archive file format commonly used to bundle private key with its X.509 certificate.

Unpacking is required e.g. with old cURL versions which don't support PKCS#12 yet.

Extract the key:

# the private key (output is uncrypted file)
openssl pkcs12 -in client.p12 -out client.key.pem -nocerts -nodes

Exract the certificate:

# the certificate
openssl pkcs12 -in client.p12 -out client.crt.pem -clcerts -nokeys

Use with curl (client certificate authentication):

curl --verbose --cert ./client.crt.pem --key ./client.key.pem -X GET https://<HOST>:<PORT>/<PATH>

Source: tls-certificates.md Created: 2023-09-07T15:24:56+03:00 Changed: 2023-09-07T20:08:22+03:00