How To Check SSL Through CLI

Introduction

In today's digital landscape, ensuring secure communication over the internet is paramount. SSL (Secure Socket Layer) and its successor, TLS (Transport Layer Security), play a crucial role in safeguarding sensitive data exchanged between web browsers and servers. As a system administrator or developer, understanding how to check SSL certificates through the command line interface (CLI) is essential for maintaining secure connections and mitigating vulnerabilities. This article will guide you through the process of checking SSL certificates using various CLI tools.

What Is SSL?

SSL (Secure Socket Layer) is a protocol that encrypts data transmitted over the internet, ensuring that sensitive information such as login credentials, credit card numbers, and personal details remains secure from interception by malicious actors. SSL has been largely replaced by TLS, which offers enhanced security features. Both protocols rely on digital certificates issued by trusted entities known as Certificate Authorities (CAs) to validate the identity of websites and establish secure connections.

How It Works

When you connect to a website using SSL/TLS, a series of steps occur to establish a secure connection:

1. Handshake: The client (your browser) and server communicate to agree on encryption methods and exchange keys.
2. Certificate Verification: The server presents its SSL certificate to the client, which verifies its authenticity against trusted CAs.
3. Secure Connection: Once verified, a secure channel is established, allowing encrypted data transmission.

Think of this process like a secure conversation between two people who first confirm each other's identities before discussing sensitive information.

Prerequisites

Before you begin checking SSL certificates through the CLI, ensure you have the following:

• Access to a terminal or command line interface.
• Installed tools: curl, wget, and openssl.
• Basic understanding of command line operations.

Installation & Setup

If you do not have the necessary tools installed, you can do so using the following commands based on your operating system:

For Debian/Ubuntu

sudo apt update
sudo apt install curl wget openssl

For CentOS/RHEL

sudo yum install curl wget openssl

For macOS (using Homebrew)

brew install curl wget openssl

Step-by-Step Guide

Here’s a step-by-step guide to checking SSL certificates using curl, wget, and openssl.

Using curl

1. Basic SSL Verification To check SSL information for a website, use:

   curl --verbose https://example.com

2. Check Certificate Status To verify if the certificate is valid and check its revocation status, run:

   curl --cert-status https://example.com

3. Fetch HTTP Headers with SSL Information To retrieve HTTP headers along with SSL handshake details:

   curl https://example.com -vI

4. Extract Specific SSL Connection Information To get detailed SSL connection info using awk:

   curl --insecure -vvI https://example.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

Using wget

1. Check Server Connection and SSL Certificate To check the server response and SSL certificate information:

   wget --server-response --spider https://example.com

2. Verbose Output for SSL Details For detailed output, including SSL handshake information:

   wget --verbose https://example.com

Using openssl

1. Connect and Retrieve SSL Certificate To connect to a server and retrieve its SSL certificate:

   openssl s_client -connect example.com:443

2. Check Certificate Expiry Date To check the expiry date of the SSL certificate:

   openssl s_client -connect example.com:443 -servername example.com < /dev/null | openssl x509 -noout -dates

Real-World Examples

Example 1: Validating a Website's SSL Certificate

You can verify the SSL certificate of a website to ensure it is valid and not expired:

curl --verbose https://www.google.com

This command will display the SSL handshake details, including the certificate chain.

Example 2: Checking SSL Certificate Expiry

To check when a website's SSL certificate will expire:

openssl s_client -connect www.example.com:443 -servername www.example.com < /dev/null | openssl x509 -noout -dates

This command provides the start and end dates of the certificate's validity.

Example 3: Monitoring SSL Certificate with wget

You can use wget to monitor the SSL certificate's validity:

wget --server-response --spider https://www.example.com

This command checks the server's response and provides SSL certificate details.

Best Practices

• Regularly check SSL certificates to ensure they are valid and up-to-date.
• Monitor expiration dates and set reminders for renewal.
• Use automated tools to alert you of any certificate issues.
• Ensure that your server supports only strong cipher suites.
• Regularly update your CLI tools to benefit from security enhancements.

Common Issues & Fixes

Issue	Cause	Fix
SSL certificate expired	Certificate not renewed	Renew the SSL certificate
Mismatched domain name	Certificate issued for a different domain	Obtain a new certificate for the correct domain
Untrusted certificate	CA not recognized by the client	Install the CA certificate on the client

Key Takeaways

• SSL/TLS protocols are essential for secure internet communication.
• Regularly checking SSL certificates helps maintain security and prevent service interruptions.
• Tools like curl, wget, and openssl provide powerful ways to verify SSL certificates via the CLI.
• Understanding the SSL handshake and certificate verification process is crucial for troubleshooting.
• Implement best practices to manage SSL certificates effectively in production environments.