openssl 1.0 vs 1.1 s_client verify CA cert expiration
nate
openssl at linuxpowered.net
Thu Sep 30 19:34:32 UTC 2021
On 2021-09-30 11:36, Viktor Dukhovni wrote:
> Ah, you also need to add "-showcerts" to s_client and best to separate
> stdout and stderr in order to avoid confusion due to error text leaking
> through, sender stderr to /dev/null:
>
> $ openssl s_client -showcerts \
> -connect bad_server_name:443 \
> -servername bad_server_name 2>/dev/null |
> openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
> openssl pkcs7 -print_certs -noout -text |
> egrep 'not(Before|After)'
>
> or write the errors to a separate file.
That almost worked.. but because the first openssl command
never completes the other commands just wait..
I poked around and found that sending Q to the command gets it
to exit so I came up with this:
echo "Q" | openssl s_client -showcerts -connect yehat.aphroland.org:443
\
-servername yehat.aphroland.org 2>/dev/null |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -noout -text |
grep "\(Issuer:\|Subject:\|Not Before:\|Not After :\)"
which does the trick for me, used one of my personal servers to test
thanks for the help!
nate
More information about the openssl-users
mailing list