Use OpenSSL for basic SSL/TLS tasks

In this post I outline some basic OpenSSL commands you can use in your day to day job when it involves working with SSL/TLS certificates. For example you use OpenSSL to get a certificate’s SerialNumber or to verify the SAN (Subject Alternative Names).

Table of Contents show

OpenSSL has a lot of sub commands:

When working with TLS certificates you mostly use the s_client standard command. This command allows you to inspect certificates, work in a SMTP stream to send email, and so on. In Windows you install OpenSSL using winget or by using its installer file. See install OpenSSL in Windows for all the details.

I have openssl.exe in my path environment ($env:path) so I don’t have to type the full path to my openssl.exe binary. Further I have ShiningLight.OpenSSL.Light OpenSSL installed, you may have FireDaemon OpenSSL available. No worries.

Retrieve and inspect a website’s current SSL/TLS certificate

Execute the following command to inspect a remote website’s current TLS certificate:

openssl.exe s_client -tls1_2 -servername HOSTNAME -connect IP_ADDRESS:443

Substitute HOSTNAME and IP_ADDRESS with their respected values. For Saotn.org:

openssl.exe s_client -tls1_2 -servername www.saotn.org -connect [2a00:f60::1:51]:443

this results in (partly):

Connecting to 2a00:f60::1:51
CONNECTED(0000017C)
depth=1 C=US, O=Let's Encrypt, CN=R11
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=*.saotn.org
verify return:1
---
Certificate chain
 0 s:CN=*.saotn.org
   i:C=US, O=Let's Encrypt, CN=R11
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 28 05:01:16 2025 GMT; NotAfter: Sep 26 05:01:15 2025 GMT
 1 s:C=US, O=Let's Encrypt, CN=R11
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE/TCCA+WgAwIBAgISBhUb4d83bGGOx3aYxZgmUCT+MA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTEwHhcNMjUwNjI4MDUwMTE2WhcNMjUwOTI2MDUwMTE1WjAWMRQwEgYDVQQD
DAsqLnNhb3RuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANeF
AO2V8tkgeVzAr71Xmczc8szmaOaBgNge979uS8VhR6aMlJ9uJ6lGT26Jflj2j/Ap
om4SWYQUxrgy30IZ54Y1BxFbbGFMP23NB4h0f1bqN2rKku+G7Py526VtXGWO5XNm
Sfc2yia0JzfemtkVfDWDb76dxFGfYp90S1VmB+oHvzQUyFMCUjBheLdJC0+lJOOo
Mwq8pCx3g8QPP1MvNmCNs+F+f63O4y9Q8HTmW5pefeB5g6/DmOSPhXR2oUXrj99c
YussB+UA7g+03JGoyuovfqKiOqgk9q0LjAYjb3FGdJgLzj57HbgXlo3cJSsU+m+T
7cTS978lzjhc00S/MfsCAwEAAaOCAiYwggIiMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUBVzoGVoVudrFupJl19XmHaAMSkUwHwYDVR0jBBgwFoAUxc9GpOr0w8B6bJXE
LbBeki8m47kwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzAChhdodHRwOi8vcjEx
LmkubGVuY3Iub3JnLzAhBgNVHREEGjAYggsqLnNhb3RuLm9yZ4IJc2FvdG4ub3Jn
MBMGA1UdIAQMMAowCAYGZ4EMAQIBMC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9y
MTEuYy5sZW5jci5vcmcvMTI3LmNybDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1
AA3h8jAr0w3BQGISCepVLvxHdHyx1+kw7w5CHrR+Tqo0AAABl7Ue1jUAAAQDAEYw
RAIgOGcZXy5op6SLcwECwXoFSVb5vsc8r8MS/aMO2LacvxkCIFBj7MO8eguMQgY7
LZHZqzjX0qWSUFLSyOfUsGMTG54gAHYAzPsPaoVxCWX+lZtTzumyfCLphVwNl422
qX5UwP5MDbAAAAGXtR7XDwAABAMARzBFAiBz2MfJJ4KGhPLB5+XAETuMg4+2aPjc
wyGP7Vs2Gfe19QIhAIpDRHBmu2pT5W+t2m8Fd5R7JxKakEpC/aqBUA1EsHoMMA0G
CSqGSIb3DQEBCwUAA4IBAQApxtjM5WhBuWb3p4n8/IYM6JR8JI/ySi0q+NMVWN7X
Qx+nRJG4EQGDEeqcp02ztQeTvnvdVkSktQ0rI/koy8A8BSKXOZ4MyChZZ9jucD4d
wiQZjAM18RSIJOS4IrJ/J4Ct1k8sZlG0jeXghd5AsdtQyqMveq8TXDCfZqNAKRmi
YKBCb+oPzG8054gd7JLBL4wDT3J05ksQ33w2C8BiFbIDqaKbS12roTP9bdGrrgpx
kSSDLwba23v4IEtpfDmF3U6Og98N2VGeoowCXNdxbA9b0OfGzJNfMMlYPC5VYZ0S
laVi2cZPNCoQcux0TB5Q345N9AjyRgmjMBh9h4H7GEY+
-----END CERTIFICATE-----
subject=CN=*.saotn.org
issuer=C=US, O=Let's Encrypt, CN=R11
---

Which tells you my site has an Let’s Encrypt certificate installed.

SerialNumber from .PEM file

Suppose you have a .PEM file and you need to get the SerialNumber from it, use the following openssl.exe command:

(& openssl.exe x509 -noout -serial -in .\dev.saotn.org.pem).split("=")[1]

The output is the SerialNumber.

What exactly is a .PEM file?

Taken from “sysadmin1138” great explanation on Server fault:

.pem – Defined in RFC 1422 (part of a series from 1421 through 1424) this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.

SAN (Subject Alternative Names) from Certificate Signing Request (CSR)

If someone provided you with an certificate signing request – or CSR – you verify the hostnames with the following openssl.exe command:

openssl.exe req -in '.\CSRfile.csr' -text -noout | Select-String DNS

This prints out hte DNS names, also known as Subject ALternative Names or SANs.

PFX file’s Subject

The subject, issuer and friendlyName of an PFX certificate file is reviewed using:

openssl.exe pkcs12 -info -in certfile.pfx

Do note this requests the certificate’s Import Password and PEM pass phrase. In the certificate information you find

Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: *.saotn.org - 2026
subject=CN=*.saotn.org
C=US, O=Let's Encrypt, CN=R11

Conclusion

This post provided you with some basic openssl usage for working with certificates. If you want to work with StartTLS and SMTP, IMAP or POP3 servers, you may find the post Test SMTP authentication and StartTLS interesting.