How to Check SSL Certificates Using OpenSSL and Complete Installation

Properly verifying and installing SSL certificates are critical steps in securing your website. Using OpenSSL for certificate verification provides powerful diagnostic capabilities that help ensure your certificate is valid and properly configured before installation. This comprehensive guide walks you through both certificate verification using OpenSSL and the complete installation process across various server environments.

Key Takeaways

• OpenSSL provides robust command-line tools for examining and validating SSL certificates
• Certificate verification helps identify issues with expiration dates, trust chains, and domain validation
• Different server platforms (Apache, Nginx, IIS) require specific installation procedures
• Complete installation requires certificate files, private keys, and intermediate certificates
• Regular verification using OpenSSL helps maintain website security and prevent certificate-related outages

Understanding SSL Certificate Verification with OpenSSL

Before installing an SSL certificate, it’s crucial to verify its integrity, validity, and configuration details. OpenSSL is a powerful open-source toolkit that provides comprehensive certificate examination capabilities.

What is OpenSSL?

OpenSSL is a robust, full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides a rich set of cryptographic functions, including tools for:

• Creating certificate signing requests (CSRs)
• Managing private keys
• Verifying certificate information
• Testing SSL/TLS connections
• Examining certificate chains

Installing OpenSSL

Before using OpenSSL for certificate verification, you’ll need to install it on your system:

For Windows:
Download the Windows binary from the official OpenSSL website or use a pre-compiled version through tools like Git Bash or Cygwin.

For macOS:

brew install openssl

For Linux (Debian/Ubuntu):

sudo apt-get update
sudo apt-get install openssl

For Linux (CentOS/RHEL):

sudo yum install openssl

Essential OpenSSL Commands for Certificate Verification

Once installed, OpenSSL provides numerous commands for certificate verification:

1. Examining Local Certificate Files

To view detailed information about your certificate file:

openssl x509 -in yourcertificate.crt -text -noout

This command displays comprehensive information about your certificate, including:

• Subject (domain name)
• Issuer (Certificate Authority)
• Validity period (start and expiration dates)
• Public key details
• Certificate extensions
• Signature algorithm

2. Verifying Certificate Expiration

To quickly check when your certificate expires:

openssl x509 -in yourcertificate.crt -noout -enddate

3. Checking if Private Key Matches Certificate

It’s crucial to verify that your private key matches your certificate:

# Get certificate modulus
openssl x509 -noout -modulus -in yourcertificate.crt | openssl md5

# Get private key modulus
openssl rsa -noout -modulus -in yourprivatekey.key | openssl md5

If the outputs match, your private key corresponds to your certificate.

4. Verifying Certificate Chain

To check if your certificate chain is complete and valid:

openssl verify -CAfile chain.pem yourcertificate.crt

Where chain.pem contains all intermediate certificates.

5. Testing Remote Server Certificates

OpenSSL can also verify certificates already installed on a server:

openssl s_client -connect example.com:443 -showcerts

This command establishes a connection to the server and displays the entire certificate chain.

6. Checking Certificate Revocation

To verify if a certificate has been revoked via OCSP (Online Certificate Status Protocol):

openssl ocsp -issuer intermediate.pem -cert yourcertificate.crt -text -url http://ocsp.example.com

Replace the URL with the OCSP responder URL found in your certificate.

Common Certificate Issues Detected by OpenSSL

OpenSSL can help identify several common certificate problems:

• Self-signed certificates: Indicated by the issuer and subject being identical
• Expired certificates: Shown in the validity period section
• Name mismatches: The common name (CN) or Subject Alternative Names (SANs) don’t match the domain
• Incomplete certificate chains: Missing intermediate certificates
• Weak cryptographic parameters: Outdated key lengths or algorithms
• Trust issues: Certificate not issued by a trusted authority

SSL Certificate Installation Process

After verifying your certificate with OpenSSL, you can proceed with installation on your web server.

Preparing for Installation

Before installing, gather these essential files:

• Server certificate: Your primary SSL certificate file (usually with .crt, .cer, or .pem extension)
• Private key: The private key corresponding to your certificate (usually with .key extension)
• Intermediate certificates: CA-provided certificate chain files that establish trust
• Root certificate: The root certificate from your Certificate Authority (sometimes included in the intermediate bundle)

Installing SSL Certificates on Different Web Servers

Apache Web Server Installation

For Apache HTTP Server:

1. Locate your Apache configuration directory:

• On Debian/Ubuntu: /etc/apache2/sites-available/
• On CentOS/RHEL: /etc/httpd/conf.d/

1. Edit your virtual host configuration to include SSL settings:

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /path/to/yourcertificate.crt
    SSLCertificateKeyFile /path/to/yourprivatekey.key
    SSLCertificateChainFile /path/to/intermediate.crt

    # Optional recommended settings
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
    SSLCompression off

    # Additional directives...
</VirtualHost>

3. Enable SSL module (if not already enabled):

sudo a2enmod ssl

4. Enable your site configuration:

sudo a2ensite your-ssl-site.conf

5. Test the configuration:

sudo apache2ctl configtest

6. Restart Apache:

sudo systemctl restart apache2

Nginx Web Server Installation

For Nginx:

1. Edit your server block configuration (typically in /etc/nginx/sites-available/):

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
    root /var/www/html;

    ssl_certificate /path/to/yourcertificate.crt;
    ssl_certificate_key /path/to/yourprivatekey.key;
    ssl_trusted_certificate /path/to/intermediate.crt;

    # Recommended SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;

    # Additional directives...
}

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

2. Test the configuration:

sudo nginx -t

3. Reload Nginx:

sudo systemctl reload nginx

Microsoft IIS Installation

For Windows servers running IIS:

1. Open IIS Manager from the Windows Administrative Tools
2. Select your server in the Connections panel
3. Double-click the Server Certificates icon in the Features View
4. Import your certificate:

• If you have a PFX file, use the “Import” option
• If you completed a CSR, use “Complete Certificate Request”

1. Bind the certificate to your website:

• Select your website in the Connections panel
• Click “Bindings” in the Actions panel
• Add a new binding for HTTPS (port 443)
• Select your imported certificate

1. Apply the changes and test your website

cPanel Installation

For cPanel/WHM servers:

1. Log in to cPanel
2. Navigate to SSL/TLS section
3. Select “Install and Manage SSL for your site”
4. Choose the domain for installation
5. Paste the certificate, private key, and intermediate certificates in their respective fields
6. Click “Install Certificate”

Using OpenSSL to Verify Successful Installation

After installation, use OpenSSL to verify your server’s certificate configuration:

openssl s_client -connect example.com:443 -servername example.com

Check for:

1. Connection success without errors
2. Certificate chain completeness (all certificates displayed)
3. Verification result (should say “Verify return code: 0 (ok)”)
4. Correct server name in the certificate

Troubleshooting SSL Certificate Issues

If your OpenSSL verification reveals issues after installation, try these troubleshooting steps:

Certificate Chain Problems

Symptoms: Browsers show “not trusted” warnings, or OpenSSL shows “unable to get local issuer certificate”

Solutions:

• Ensure all intermediate certificates are installed in the correct order
• Verify you’re using the correct intermediate bundle for your specific certificate
• Check file formatting (no extra spaces, line breaks, or text)
• Use this OpenSSL command to verify chain completeness:

  openssl verify -CAfile chain.pem yourcertificate.crt

Private Key Issues

Symptoms: Server fails to start, or SSL handshake fails

Solutions:

• Verify key matches certificate using the modulus check mentioned earlier
• Check key file permissions (should be readable by the web server but protected from others)
• Ensure key is in the correct format (PEM format is most common)
• If encrypted, provide the passphrase in your server configuration or convert to an unencrypted key

Name Mismatch Errors

Symptoms: Browsers show “certificate name mismatch” warnings

Solutions:

• Verify the Common Name (CN) or Subject Alternative Names (SANs) in your certificate match your website domain
• For multiple domains or subdomains, ensure all are listed in the SANs
• If using a wildcard certificate, ensure it matches your subdomain structure

Protocol and Cipher Issues

Symptoms: Certain browsers can’t connect, or security scanners report weak configuration

Solutions:

• Update your server configuration to use modern protocols (TLSv1.2, TLSv1.3)
• Disable older, insecure protocols (SSLv3, TLSv1.0, TLSv1.1)
• Configure strong cipher suites and proper order
• Test with OpenSSL:

  openssl s_client -connect example.com:443 -tls1_2

Best Practices for SSL Certificate Management

To maintain a secure SSL implementation:

Regular Verification

• Schedule periodic checks using OpenSSL to verify certificate validity
• Set up monitoring for certificate expiration dates
• Test after server updates to ensure configuration wasn’t modified

Security Hardening

• Implement HTTP Strict Transport Security (HSTS) to enforce HTTPS
• Configure proper Content-Security-Policy headers
• Enable OCSP Stapling for improved performance and privacy
• Use strong Diffie-Hellman parameters for perfect forward secrecy:

  openssl dhparam -out dhparams.pem 2048

Automation and Management

• Consider automated certificate renewal tools like Certbot
• Document your certificate details including issuing CA, expiration, domains covered
• Implement a certificate management process for your organization
• Create a disaster recovery plan for certificate loss or compromise

Wrapping It Up

Using OpenSSL to verify SSL certificates before and after installation is an essential practice for maintaining website security. By thoroughly checking certificate details, validating the trust chain, and ensuring proper configuration, you can prevent security issues and certificate-related outages.

The installation process varies by server platform, but the principles remain the same: properly configure your certificate files, private key, and intermediate certificates to establish a secure and trusted HTTPS connection for your users.

Remember that SSL/TLS security is not a one-time task—regular verification, updates to meet current security standards, and proactive certificate management are necessary to maintain a strong security posture.

FAQ: Checking SSL Certificates with OpenSSL and Installation

How can I check if a website’s SSL certificate is valid using OpenSSL?

You can verify a remote website’s certificate using: openssl s_client -connect example.com:443 -servername example.com. This displays the entire certificate chain and verification status.

What’s the difference between SSL and TLS?

SSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security). Modern websites use TLS, though “SSL certificate” remains the common term. Current secure websites should use TLS 1.2 or 1.3, as all SSL versions and TLS 1.0/1.1 are considered insecure.

How do I fix “unable to get local issuer certificate” errors?

This error indicates a missing intermediate certificate. Obtain the correct intermediate certificate bundle from your certificate authority and properly configure it in your web server settings.

Can I use the same certificate across multiple servers?

Yes, you can install the same certificate on multiple servers as long as you have the certificate file and its corresponding private key. However, be careful with private key security when transferring between servers.

How do I convert certificate formats using OpenSSL?

Common conversion commands include:

• PEM to DER: openssl x509 -in cert.pem -outform der -out cert.der
• DER to PEM: openssl x509 -in cert.der -inform der -outform pem -out cert.pem
• PEM to PKCS#12: openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem -certfile chain.pem

What should I do if OpenSSL shows my certificate is about to expire?

If your certificate is nearing expiration, generate a new CSR (Certificate Signing Request) and request a renewal from your certificate authority. Once received, verify the new certificate using OpenSSL before installing it to replace the expiring certificate.