openssl 1.0 vs 1.1 s_client verify CA cert expiration

Viktor Dukhovni openssl-users at dukhovni.org
Thu Sep 30 18:36:05 UTC 2021 

On Thu, Sep 30, 2021 at 11:26:14AM -0700, nate wrote:

> > This is *not* the correct way to see all the expiration dates in the
> > chain.  It will show only the leaf certificate dates.  The right
> > incantation is:
> > 
> >   $ openssl s_client -connect bad_server_name:443 -servername bad_server_name |
> >     openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
> >     openssl pkcs7 -print_certs -noout -text |
> >     egrep 'not(Before|After)'
> 
> At least in this case the command you supplied appears to provide less 
> information:
> 
> (OpenSSL 1.0.2g)
> depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify error:num=10:certificate has expired
> notAfter=Sep 30 14:01:15 2021 GMT

Ah, you also need to add "-showcerts" to s_client and best to separate
stdout and stderr in order to avoid confusion due to error text leaking
through, sender stderr to /dev/null:

  $ openssl s_client -showcerts \
        -connect bad_server_name:443 \
        -servername bad_server_name 2>/dev/null |
    openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
    openssl pkcs7 -print_certs -noout -text |
    egrep 'not(Before|After)'

or write the errors to a separate file.

> (OpenSSL 1.0.2g with -trusted_first option)
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = bad_server_name
> verify return:1

Good.

> (OpenSSL 1.1.1f)
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = bad_server_name
> verify return:1

Ditto.

> Is there a command sequence that could get openssl to show all dates in
> the tree whether it is being served by the server or checked in the
> local trusted store?

The "crl2pkcs7 -nocrl -certfile /dev/stdin" command piped to
"pkcs7 -print_certs -text" is how to see the full chain.


> I assume your command is intended to do that, but
> it doesn't for me.

I neglected to suggest "-showcerts".

-- 
    Viktor.

More information about the openssl-users mailing list