Contents

Linux 指令確認SSL憑證

Contents

單純紀錄

TODO: 有空回來整理

Test FTP certificate

1
openssl s_client -connect server.yourwebhoster.eu:21 -starttls ftp

Test POP3 certificate

1
openssl s_client -connect server.yourwebhoster.eu:995

Test IMAP certificate

1
openssl s_client -connect server.yourwebhoster.eu:993

Test SMTP SSL certificate

1
openssl s_client -connect server.yourwebhoster.eu:465

Test SMTP TLS certificate

1
openssl s_client -connect server.yourwebhoster.eu:587 -starttls smtp

Test HTTPS certificate

1
openssl s_client -connect server.yourwebhoster.eu:443

Test DirectAdmin certificate

1
openssl s_client -connect server.yourwebhoster.eu:2222

How to verify SSL certificates with SNI (Server Name Indication) using OpenSSL

Using SNI with OpenSSL is easy. Just add the -servername flag and you are good to go. Replace in the examples below mail.domain.com with the SNI name. Note: you can also use the SNI name to replace server.yourwebhoster.eu with.

Test FTP certificate

1
openssl s_client -connect server.yourwebhoster.eu:21 -starttls ftp -servername mail.domain.com

Test POP3 certificate

1
openssl s_client -connect server.yourwebhoster.eu:995 -servername mail.domain.com

Test IMAP certificate

1
openssl s_client -connect server.yourwebhoster.eu:993 -servername mail.domain.com

Test SMTP SSL certificate

1
openssl s_client -connect server.yourwebhoster.eu:465 -servername mail.domain.com

Test SMTP TLS certificate

1
openssl s_client -connect server.yourwebhoster.eu:587 -starttls smtp -servername mail.domain.com

Test HTTPS certificate

1
openssl s_client -connect server.yourwebhoster.eu:443 -servername mail.domain.com

讀取網站憑證指紋

1
echo | openssl s_client -connect www.cgmh.org.tw:443 |& openssl x509 -fingerprint -noout

網站憑證鏈指紋

1
2
3
4
5
6
 echo "" | openssl s_client -showcerts \
                             -connect saucelabs.com:443 2>&1 | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p;
             /-END CERTIFICATE-/a\\x0' |\
    sed -e '$ d' | xargs -0rl -I% sh -c "echo '%' | \
    openssl x509 -fingerprint -noout -sha256 -subject"

參考sni - Different SHA1 fingerprint in browser and openssl - Stack Overflow
但根憑證好像算錯了?

sha1,sha256,md5

SHA-256
1
    openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]
SHA-1
1
    openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]
MD5
1
    openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]

How to view a certificate fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL for RSA Authentication … - RSA Link - 4230

Certificate Decoder - Decode certificates to view their contents

SSL 相關的測試工具 – 軟體品管的專業思維

SSLScan - 瞭解網站是否安全的好用小工具

OpenSSL command cheatsheet