Validate SSL certificates from CLI using openssl command

The following steps are used to validate the SSL certificates with openssl command

Check the Certificate Chain: To check the certificate chain and ensure that it’s valid, you can use the openssl verify command. This command will check if the certificate chain is valid up to a trusted root certificate.

openssl verify -CAfile gd_bundle-g2-g1.crt abc.crt

In this command:

• gd_bundle-g2-g1.crt is the file containing the trusted root certificates (the certificate authority bundle).
• abc.crt is the certificate you want to verify.

If the certificate chain is valid, you’ll see a message like: abc.crt: OK.

Check Certificate Details:

To view detailed information about a certificate, you can use the openssl x509 command. For example, to view the details of the abc.crt certificate:

openssl x509 -in abc.crt -text

This will display all the information about the certificate, including its subject, issuer, validity dates, and more.

Check the Private Key and Certificate Match:

To verify if a private key (abc.key) matches a certificate (abc.crt), you can use the openssl rsa and openssl x509 commands together:

openssl rsa -noout -modulus -in abc.key | openssl md5

openssl x509 -noout -modulus -in abc.crt | openssl md5

If the modulus values printed by these commands match, it indicates that the private key and certificate match.

Check Certificate Expiry Date:

To check the expiry date of a certificate, you can use the openssl x509 command:

openssl x509 -enddate -noout -in abc.crt

This will display the certificate’s expiry date.

These OpenSSL commands provide various ways to validate SSL certificates and perform different checks. Adjust the commands based on your specific requirements for certificate validation.

Nginx SSL – Generate chained.crt

 

To generate chained.crt file you need following 2 files:

• server.crt(other name yoer_domain_name.crt)
• IntermediateCA.crt

Concatenate above 2 files in the same order to generate chained.crt file.

$ cat server.crt IntermediateCA.crt > chained.crt

Add these 2 lines in Nginx config:

ssl_certificate    /etc/nginx/ssl/chained.crt
ssl_certificate_key    /etc/nginx/ssl/your_domain_name.key;

Once it is done restart the Nginx.

Nginx – Deploy SSL certificate

 

These steps are used to to deploy SSL certificate issued by digicert.

Before starting make sure that you download ssl certificate issued by digicert.

Now create single file by concatenating  your_domain_com.crt and DigiCertCA.crt, name it as chained.crt

You can use following command to generate chained.crt

$ cat your_domain_com.crt DigiCertCA.crt > chained.crt

chained.crt file is used as ssl_certificate in nginx in this case.

Now configure nginx virtual hosts file for the website you wanted to secure as shown below:

server {

 listen 443 ssl default_server;
 ssl_certificate    /etc/nginx/ssl/chained.crt
 ssl_certificate_key    /etc/nginx/ssl/your_domain_name.key;

 server_name your.domain.com;

 access_log /var/log/nginx/access.log;
 error_log /var/log/nginx/error.log;

 location / {
  root   /home/www/public_html/your.domain.com/public/;
  index  index.html;
}

}

Finally restart nginx.

 

$ service nginx restart

After restarting your website can be accessed with https.