#mkdir certs
#cd certs
Get public cert for the server you want to check:
#
openssl s_client -showcerts -connect server:portCopy from the "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----" , and save it in a file ending in .pem
Get issuer (CA) root certificate ("Certification Authority Root Certificate")
should be provided by your issuer or if you are your own CA you should know how to get this. Place it in the same directory as the certificate of your server (the one you are testing).
Rehash the certificates. This is basically creating a link files to your .pem files. Names are based on the certificate content so openssl command will be able to operate on the files.
#for file in *.pem; do ln -s $file `openssl x509 -hash -noout -in $file`.0; done
Verify the certificate:
#openssl s_client -CApath . -connect server:port
Output should be similar to:
..
..
..
SSL-Session:
Protocol : TLSv1.2
Cipher : DES-CBC3-SHA
Session-ID: 53563D55F85CD643713643B7163A8C25113B114703C975DEA1C57D659FFBF96E
Session-ID-ctx:
Master-Key: 7288C083E0723BC61C4C21DC91908E34BD5C65695064E4E114FF4ED763ECA1D489794B9911E69021B8A8083A9CAB18EE
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1398160725
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
..
..
If you see Verify return code: 0 (ok) you are good!
Няма коментари:
Публикуване на коментар