If you use your own internal SSL PKI (private key infrastructure) – in other words, if you act as your own CA (certificate authority), you have some ways of verifying the certificates you generate. (Note that this also works for verifying without using s_client for third-party CA’s as well, if you have the root CA file and certificate in question. You’ll need to chain the intermediate cert(s) with the CA, though.)..
Where was I?
So! Given that CA.crt is our PEM-encoded CA certificate and client.crt is our PEM-encoded endpoint certificate:
openssl verify -verbose -CAfile CA.crt client.crt
And as a bonus, here’s how you get a certificate’s fingerprint:
openssl x509 -fingerprint -in client.crt -sha512 -noout
Of course, there’s always the tried-and-true method of s_client. s_client will connect to the given host:port and if all the certs check out, it will give a “Verify return code: 0 (ok)”. (In the below examples, we use ‘</dev/null’ to send a null byte to close the connection- otherwise you can use s_client as a sort of SSL-tunneled telnet of sorts.)
With full trust chain:
openssl s_client -showcerts -connect devblog.square-r00t.net:443 < /dev/null
And with fingerprints!
openssl s_client -showcerts -connect devblog.square-r00t.net:443 < /dev/null |& openssl x509 -fingerprint -noout