SSL : Vérifier un certificat
De www.yakakliker.org
Commande
openssl s_client -connect host.domaine:443 -servername host.domaine
- Exemple de réponse (quand tout est ok)
root@VLINREC:~# openssl s_client -connect host.domaine:443 -servername host.domaine
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, O = Gandi, CN = Gandi RSA Domain Validation Secure Server CA 3
verify return:1
depth=0 CN = *.host.domaine
verify return:1
---
Certificate chain
0 s:CN = *.host.domaine
i:C = FR, O = Gandi, CN = Gandi RSA Domain Validation Secure Server CA 3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 25 00:00:00 2025 GMT; NotAfter: Aug 25 23:59:59 2026 GMT
1 s:C = FR, O = Gandi, CN = Gandi RSA Domain Validation Secure Server CA 3
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA384
v:NotBefore: Aug 2 00:00:00 2023 GMT; NotAfter: Aug 1 23:59:59 2033 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
XXX...
...XXX
-----END CERTIFICATE-----
subject=CN = *.host.domaine
issuer=C = FR, O = Gandi, CN = Gandi RSA Domain Validation Secure Server CA 3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3885 bytes and written 405 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: F2BBB522AB7EFD010685B32DC646C4E73F8EFCB02B7FD65D6Q26A5C1FF255922
Session-ID-ctx:
Resumption PSK: BAE23C764B39F422A21DF2CB7AFA0C87751CEEFED33E1D978307745BD560B79E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 14 cd f7 39 2d 5f 14 a4-3a d6 c0 71 5c 80 42 33 ...9-_..:..q\.B3
0010 - 99 cf e3 ba d6 5f 42 7f-62 75 c4 8c 7b ab bd 09 ....._B.bu..{...
Start Time: 1757661886
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: F8D7E336E8C774BE84C9EA21E54EEBE2ADZ94D9F1159823F722CDF6821CFABB5
Session-ID-ctx:
Resumption PSK: 234E4587E520GB6793621F811A7C59AF73BA69D4BC80DE94117D61D56A8169EC
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - c7 5e de 84 70 68 00 57-8b 0e 80 0c d0 cc 60 2b .^..ph.W......`+
0010 - 2d 1d 74 c5 39 db e8 48-b0 85 79 b8 1a 81 34 50 -.t.9..H..y...4P
Start Time: 1757661886
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Composition du fichier certificat.pem
-----BEGIN CERTIFICATE----- XXX... Certificat du host.domaine ...XXX -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- XXX... Certificat de l'autorité de certification ...XXX -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- XXX... Clé Privée du host.domaine ...XXX -----END PRIVATE KEY-----
