OpenSSL

Verification

Verify certificates and test connections

Verification

Test SSL/TLS Connection

Connect to a server and show certificate:

openssl s_client -connect example.com:443

With SNI (Server Name Indication):

openssl s_client -connect example.com:443 -servername example.com

Show full certificate chain:

openssl s_client -connect example.com:443 -showcerts

Test mTLS Connection

Test mutual TLS connection by presenting client certificate and private key:

openssl s_client -connect server.example.com:443 \
  -cert your_certificate.crt \
  -key your_private.key

mTLS Connection Errors

If the server rejects your certificate, you may see these errors:

Error Message	Meaning
`tlsv1 alert unknown`	Server rejected the certificate
`ssl/tls alert certificate unknown`	Certificate not recognized
`SSL3 alert read:fatal:certificate unknown`	Fatal certificate error
`SSL alert number 46`	Certificate unknown alert
`unexpected eof while reading`	Connection closed unexpectedly

If you see any of these errors, verify your .crt file is valid by comparing the MD5 checksum with your key file.

# Verify certificate and key match
openssl x509 -noout -modulus -in your_certificate.crt | openssl md5
openssl rsa -noout -modulus -in your_private.key | openssl md5

Get Remote Certificate

Download and save server certificate:

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -out cert.pem

Verify Certificate Chain

Verify against system CA bundle:

openssl verify cert.pem

Verify against specific CA:

openssl verify -CAfile ca.pem cert.pem

Verify certificate chain:

openssl verify -CAfile ca.pem -untrusted intermediate.pem cert.pem

Check Certificate Validity

Check if certificate is valid for a domain:

openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \
  openssl x509 -noout -subject -dates

Test Specific TLS Version

TLS 1.2:

openssl s_client -connect example.com:443 -tls1_2

TLS 1.3:

openssl s_client -connect example.com:443 -tls1_3

Check Supported Ciphers

openssl s_client -connect example.com:443 -cipher 'ALL' 2>/dev/null | \
  grep "Cipher is"

List available ciphers:

openssl ciphers -v

Verify Signature

Verify file signature with public key:

openssl dgst -sha256 -verify public.key -signature file.sig file.txt

Create signature:

openssl dgst -sha256 -sign private.key -out file.sig file.txt

OCSP Check

Check certificate revocation status:

openssl ocsp -issuer issuer.pem -cert cert.pem -url http://ocsp.example.com -resp_text

Edit this pageorReport an issue

Encryption

Encrypt and decrypt files with OpenSSL

Overview

Building voice AI applications with Twilio, LLMs, and speech services