Ssl inspect

ssl_cert_dates

Print the validity dates (notBefore and notAfter) of a certificate. More concise than ssl_view_cert for scripting expiry checks.

Example

ssl_cert_dates server.pem
# notBefore=Jan  1 00:00:00 2024 GMT
# notAfter=Jan   1 00:00:00 2025 GMT

Arguments

  • $1 (string): Certificate file

Exit codes

  • 0: Success
  • 1: openssl error

Output on stdout

  • notBefore and notAfter lines

ssl_cert_subject

Print the subject DN of a certificate.

Arguments

  • $1 (string): Certificate file

Exit codes

  • 0: Success

Output on stdout

  • Subject DN line

ssl_cert_fingerprint

Print the fingerprint of a certificate. Defaults to SHA-256; pass a second argument to use another digest (e.g. sha1, md5).

Example

ssl_cert_fingerprint server.pem
ssl_cert_fingerprint server.pem sha1

Arguments

  • $1 (string): Certificate file
  • $2 (string): Digest algorithm (default: sha256)

Exit codes

  • 0: Success

Output on stdout

  • Fingerprint line

ssl_modulus_match

Verify that a certificate and key (and optionally a CSR) belong together by comparing the MD5 hash of each object's modulus. Prints OK to stdout on match; prints the divergent hashes to stderr and returns 1 on mismatch.

Example

ssl_modulus_match server.pem server.key
ssl_modulus_match server.pem server.key server.csr

Arguments

  • $1 (string): Certificate file
  • $2 (string): Private key file
  • $3 (string): CSR file (optional)

Exit codes

  • 0: All supplied objects share the same modulus
  • 1: Mismatch detected

ssl_verify_chain

Verify a certificate against a CA bundle or the system default trust store.

Example

ssl_verify_chain server.pem
ssl_verify_chain server.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Arguments

  • $1 (string): Certificate file
  • $2 (string): CA bundle file (optional; omit to use system trust store)

Exit codes

  • 0: Certificate verifies OK
  • 1: Verification failed

ssl_verify_csr

Verify the signature of a CSR and display its contents.

Arguments

  • $1 (string): CSR file

Exit codes

  • 0: Signature OK
  • 1: Verification failed

Output on stdout

  • CSR text dump

ssl_key_strip_passphrase

Remove the passphrase from an encrypted private key. Writes the decrypted key to a new file; does not overwrite the input. openssl will prompt for the passphrase interactively.

Example

ssl_key_strip_passphrase encrypted.key
ssl_key_strip_passphrase encrypted.key plain.key

Arguments

  • $1 (string): Encrypted key file
  • $2 (string): Output file (default: input basename with .nopass.pem suffix)

Exit codes

  • 0: Success
  • 1: Wrong passphrase or openssl error