openssl s_client命令¶

openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushChatCert.pem -key PushChatKey.pem

// 指定使用ssl3协议
openssl s_client -connect 127.0.0.1:5000 -ssl3
// 指定使用tls1协议
openssl s_client -connect 127.0.0.1:5000 -tls1

证书信息 certificate/intermediate/root ca:

$ openssl x509 -in example.com.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:48:e9:a4:8b:e9:9f:cc:fa:72:12:04:c8:75:38:b8
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Secure Site CA G2
        Validity
            Not Before: Oct 26 00:00:00 2021 GMT
            Not After : Nov 22 23:59:59 2022 GMT
        Subject: C=CN, ST=Beijing, O=Zwg (Beijing) Limited, CN=*.zwg.com.cn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a7:9f:3d:95:3a:79:91:13:28:76:cd:56:3d:5a:
                    b4:2e:34:21:6d:4a:e1:0a:51:8e:16:d2:81:e6:3e:
                    93:79:9f:3d:d2:c0:34:42:e8:dd:74:bb:dc:f3:dc:
                    98:5e:95:ed:6f:2a:26:3e:a2:b9:d5:54:22:2a:e4:
                    69:f3:86:0d:53:5b:4d:8e:1f:b0:3c:a4:61:9a:2f:
                    f6:9e:d0:51:56:ac:12:8e:27:03:2a:ea:df:c5:c7:
                    78:d2:5b:d9:91:76:04:ee:41:83:b6:af:e3:ed:57:
                    d3:89:59:21:5d:bd:43:e8:e0:aa:5f:f8:39:ea:1f:
                    a5:9f:90:d0:4e:16:9a:c9:a7:83:67:6c:87:a6:d0:
                    ad:d6:03:52:ab:03:d4:26:04:4f:37:37:98:fa:dd:
                    9d:b2:e5:2e:a3:37:a5:5f:cd:f7:3c:2c:0f:9b:e1:
                    ee:ba:c5:cd:24:ec:a8:ba:8c:63:9c:43:ae:fa:1f:
                    62:ee:db:19:a5:89:0a:71:46:06:20:4b:f6:c3:ab:
                    a7:d3:c7:2d:5c:03:ae:eb:08:7e:1e:32:01:d6:a6:
                    28:41:b9:b2:ff:7a:90:3d:d5:08:32:69:bc:8e:52:
                    89:16:10:9f:59:8c:fb:4c:0e:cc:ce:cf:51:9a:f0:
                    0c:38:99:68:18:27:95:b1:57:a2:28:62:8c:3e:71:
                    ba:05
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:C4:11:7E:08:40:86:C2:41:BF:65:F3:1A:E1:B4:53:40:A3:AB:EC:7D

            X509v3 Subject Key Identifier:
                09:E6:0A:84:5B:29:C0:08:BB:25:7B:4B:2F:37:0D:26:0E:86:88:20
            X509v3 Subject Alternative Name:
                DNS:*.zwg.com.cn, DNS:zwg.com.cn
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl3.digicert.com/SecureSiteCAG2.crl

                Full Name:
                  URI:http://crl4.digicert.com/SecureSiteCAG2.crl

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.2
                  CPS: http://www.digicert.com/CPS

            Authority Information Access:
                OCSP - URI:http://ocsp.dcocsp.cn
                CA Issuers - URI:http://crl.digicert-cn.com/SecureSiteCAG2.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
            1.3.6.1.4.1.11129.2.4.2:
                ...i.g.u.)y...99!.Vs.c.w..W}.`
..M]&\%].....|.yc......F0D. ..H.%....p2..a.C..{.d..G...[..?S. `.E..J....I.EJd.4MS$"......c{.,h.u.A...."FJ...:.B.^N1.....K.h..b......|.ycT.....F0D. .....+:j........w...^.h.O.l..._N>Z.....j^.;.. D\*s...|.ycC.....H0F.!..?%h.$@.s....r.
.. ......k...b...!..b......m.Bs.....v>#.....?G".[..
    Signature Algorithm: sha256WithRSAEncryption
         0d:fd:a5:5d:45:93:d1:48:f2:7b:e0:41:e1:b6:1a:5b:7c:e4:
         fd:4e:84:fb:ee:ab:79:4f:1d:a3:19:48:d8:7d:bd:22:19:a0:
         08:b4:13:48:d4:25:85:de:10:6f:34:25:6c:32:5b:43:d3:b2:
         f8:14:09:f8:75:ec:31:71:c6:49:6b:80:f5:e3:3e:63:be:01:
         5c:bf:10:54:51:e6:95:21:1d:88:e3:57:43:67:60:81:eb:90:
         05:f4:48:14:56:3d:ed:65:7e:3a:45:4e:fe:59:42:18:5c:3b:
         88:71:83:55:c7:56:78:05:83:61:a2:91:3b:66:2b:f1:5c:46:
         6f:40:f9:d8:c9:04:3a:4b:ea:87:da:89:a1:56:b5:a9:52:ee:
         b3:f8:e2:2d:8e:9c:02:e2:d1:b0:4a:4f:82:7a:68:b2:74:e5:
         24:1a:bf:e9:d8:01:68:fb:10:60:ad:58:e3:39:3c:66:69:8a:
         33:7e:71:40:ba:da:57:a9:35:78:33:26:6f:b4:6d:42:b0:ca:
         97:9e:40:1c:1b:ad:f3:7d:c8:d2:a4:f7:08:4d:c0:ab:70:bc:
         0b:82:01:8e:1c:5f:37:67:1d:48:c3:2f:6d:8d:79:00:16:c8:
         9b:c3:eb:90:64:5e:47:16:c1:12:cc:74:b9:8e:7a:12:ef:00:
         15:3d:44:49

key 信息:

$ openssl rsa -in example.com.key -check

证书有效期¶

查看域名使用证书有效期:

$ echo | openssl s_client -servername blog.zhaoweiguo.com -connect blog.zhaoweiguo.com:443 2>/dev/null | openssl x509 -noout -dates

notBefore=Oct 26 00:00:00 2021 GMT
notAfter=Nov 22 23:59:59 2022 GMT

批量验证证书有效期:

#!/bin/bash

domains='
sentry.google.com
console.google.com
www.google.com
m.google.com
api.google.com
'

for domain in $domains
do
  check_result=$(echo | openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -dates | grep After)
  echo "$domain\t $check_result" | awk -F"\t" '{sub(/^ /,"",$2);printf "%-40s%s\n",$1,$2}'
done

或者通过第三方工具检查: * https://www.ssllabs.com/ssltest/analyze.html * https://whatsmychaincert.com/?jpuyy.com

检查 p12 证书过期时间:

1. 先转为证书
$ openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes
2. 验证过期时间
$ cat certificate.pem | openssl x509 -noout -enddate

参考¶

openssl shell 检验 ssl 证书过期时间: https://jpuyy.com/2017/05/openssl-%E6%A3%80%E9%AA%8C-ssl-%E8%AF%81%E4%B9%A6%E8%BF%87%E6%9C%9F%E6%97%B6%E9%97%B4.html