How to verify SSL certificates with OpenSSL on Command Line

  Linux, Security, Windows

OpenSSL will be installed by default if you use a Unix/Linux OS platform. However, if you want to use OpenSSL on Windows, you will need to look into either Cygwin or Windows Subsystem for Linux.
With OpenSSL commands we can verify that multiple protocols/services use the correct certificate.

Test FTP certificate

openssl s_client -connect your-server-address:21 -starttls ftp

Test POP3 certificate

openssl s_client -connect your-server-address:995

Test IMAP certificate

openssl s_client -connect your-server-address:993

Test SMTP SSL certificate

openssl s_client -connect your-server-address:465

Test SMTP TLS certificate

openssl s_client -connect your-server-address:587 -starttls smtp

Test HTTPS certificate

openssl s_client -connect your-server-address:443

How to verify SSL certificates with SNI (Server Name Indication) using OpenSSL

Using SNI with OpenSSL is easy. Just add the -servername flag and you are good to go.
Override SNI (Server Name Indication) extension with another server name.
Useful for testing when multiple secure sites are hosted on same IP address:

Test FTP certificate

openssl s_client -connect your-server-address:21 -starttls ftp -servername your-server-address

Test POP3 certificate

openssl s_client -connect your-server-address:995 -servername your-server-address

Test IMAP certificate

openssl s_client -connect your-server-address:993 -servername your-server-address

Test SMTP SSL certificate

openssl s_client -connect your-server-address:465 -servername your-server-address

Test SMTP TLS certificate

openssl s_client -connect your-server-address:587 -starttls smtp -servername your-server-address

Test HTTPS certificate

openssl s_client -connect your-server-address:443 -servername your-server-address

Test TLS connection by forcibly using specific cipher suite, e.g. ECDHE-RSA-AES128-GCM-SHA256.

Useful to check if a server can properly talk via different configured cipher suites, not one it prefers.

openssl s_client -host example.com -port 443 -cipher ECDHE-RSA-AES128-GCM-SHA256 2>&1 </dev/null

Measure TLS connection and handshake time

Measure SSL connection time without/with session reuse:

openssl s_time -connect example.com:443 -new
openssl s_time -connect example.com:443 -reuse

Roughly examine TCP and SSL handshake times using curl:

curl -kso /dev/null -w "tcp:%{time_connect}, ssldone:%{time_appconnect}\n" https://example.com

Measure speed of various security algorithms:

openssl speed rsa2048
openssl speed ecdsap256

Resources

I’ve put together a few resources about OpenSSL that you may find useful.

OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs | DigitalOcean — https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

The Most Common OpenSSL Commands — https://www.sslshopper.com/article-most-common-openssl-commands.html

OpenSSL: Working with SSL Certificates, Private Keys and CSRs — https://www.dynacont.net/documentation/linux/openssl/