Whilst banging heads with an LDAP server recently, I needed a reliable way to verify that the SSL CA certificate I was using was the correct one for the certificate being returned by the server.
I came across this useful command after a search:
$ openssl s_client -connect ldap.example.com:636 \ -CAfile /tmp/ca-bundle.crt -showcerts
This command will connect to the specific server and port (could be anything, in my case I’m using a secured LDAP server) and will use the specific certificate authority (/tmp/ca-bundle.crt) for verifying the certifcate returned by the server.
If the connection is established, it’s the correct/valid CA, if it doesn’t, the CA file is wrong and that’s probably why whatever you’re trying to debug is having issues connecting.
The other handy command I came across (thanks to SamatsWiki OpenSSL cheatsheet) is the following command which displays all the information, dates, stats, etc, relating to an ASCII format SSL certificate:
$ openssl x509 -in example.pem -noout -text
This is going to be a very handy command when I want to check when a certificate is going to expire without having to access the service itself to find out.
Additional note, if you have a cert file and a CA cert file and want to ensure you’re using the correct one, the following will do a check against the files:
openssl verify -verbose -CAfile cabundle.crt example.com.crt