In the realm of DevOps and IT security, ensuring that your web applications are secure is paramount. One of the fundamental aspects of web security is the use of TLS (Transport Layer Security) certificates, which encrypt data between the client and server, ensuring privacy and data integrity. OpenSSL, a robust open-source toolkit, provides a command-line interface (CLI) that allows you to inspect and verify TLS certificates with ease. This article will guide you through using OpenSSL CLI to check information about a website’s TLS certificate.
Prerequisites
Before diving into the commands, ensure that you have OpenSSL installed on your system. Most Unix-based systems, including Linux and macOS, come with OpenSSL pre-installed. You can verify its presence by running:
openssl version
If OpenSSL is not installed, you can typically install it via your package manager. For example, on Ubuntu, you can use:
sudo apt-get install openssl
Checking a Website’s TLS Certificate
To retrieve and inspect a website’s TLS certificate, you can use the s_client command in OpenSSL. This command establishes a connection to the server and retrieves the certificate information.
Step-by-Step Guide
-
Connect to the Server and Retrieve the Certificate:
Use the following command to connect to a server and retrieve its certificate:
openssl s_client -connect example.com:443 -servername example.comReplace
example.comwith the domain you wish to inspect. The-servernameoption is used to specify the server name for SNI (Server Name Indication) support, which is essential for servers hosting multiple domains. -
Inspect the Certificate Details:
Once connected, OpenSSL will output a lot of information. To focus on the certificate details, look for the section starting with
-----BEGIN CERTIFICATE-----and ending with-----END CERTIFICATE-----. This is the PEM-encoded certificate. -
Decode the Certificate:
To decode and view the certificate details in a human-readable format, copy the PEM-encoded certificate and use the following command:
echo "-----BEGIN CERTIFICATE----- MIID... (certificate content) -----END CERTIFICATE-----" | openssl x509 -text -nooutThis command will display detailed information about the certificate, including:
- Issuer: The entity that issued the certificate.
- Subject: The entity to which the certificate was issued.
- Validity Period: The start and end dates for the certificate’s validity.
- Public Key Information: Details about the public key.
- Extensions: Additional information such as Subject Alternative Names (SANs).
-
Check Certificate Expiry:
To quickly check when a certificate expires, you can use:
echo "-----BEGIN CERTIFICATE----- MIID... (certificate content) -----END CERTIFICATE-----" | openssl x509 -enddate -nooutThis will output the expiration date of the certificate, allowing you to ensure it is still valid.
Automating Certificate Checks
For DevOps engineers, automating certificate checks can be beneficial, especially for monitoring purposes. You can create a simple script that periodically checks the certificates of your web services and alerts you if any are nearing expiration.
Here is a basic example using a Bash script:
#!/bin/bash
DOMAIN="example.com"
EXPIRY_DATE=$(echo | openssl s_client -connect $DOMAIN:443 -servername $DOMAIN 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_SECONDS=$(date -d "$EXPIRY_DATE" +%s)
CURRENT_SECONDS=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_SECONDS - $CURRENT_SECONDS) / 86400 ))
echo "The certificate for $DOMAIN expires in $DAYS_LEFT days."
Conclusion
Using OpenSSL CLI to inspect TLS certificates is a powerful technique for DevOps engineers to ensure the security and integrity of their web applications. By understanding how to retrieve and decode certificate information, you can proactively manage your certificates and avoid potential security risks. OpenSSL’s flexibility and open-source nature make it an invaluable tool in the DevOps toolkit.