Nowadays I have to check ssl-configurations quite often and have to accomodate a blur of different CA’s intermediates and wildcard certs.

So for the most basic stuff I reccomend taping Julia Evan’s openssl cheat sheet somewhere in plain view until you can type the commands from it blindly.

But in some cases I needed to…

verify a certificate from your disk against your systems CA

You download or receive a certificate from somewhere, but before installing it, you want to see if it really works:

openssl verify -CApath /etc/ssl/certs <insert certfile here>


  • you might need to adapt /etc/ssl/certs to wherever your distribution stores the ca certificates
  • you might need to inject an intermediate certificate with the ‘-untrusted’ switch. If you have to do this, you’ll also need to deliver this intermediate to clients.

check a remote certificate for a specific vhost w/o matching dns

In some cases, specifically when moving from site A to site B, you might want to check your vhost certificates on the new location without fiddling with your hosts file or updating dns. This is the command to do so

openssl s_client -connect <TARGET WEBSERVER>:<PORT> -showcerts -servername <vhost name>

reduce the output to what I need

More often than not, the content of the certificate is not very interesting to me as a human reader. I am mostly interested in

  • is the cert still valid
  • who issued this cert
  • what is the cert’s subject

To accomplish that, you can basically pipe any given openssl command though openssl’s x509 handler like so

openssl s_client -CApath /etc/ssl/certs -connect -showcerts | openssl x509 -noout -issuer -subject -dates