SSL certificate verification

PRE-REQUISITE

The following OpenSSL commands will works natively on Linux and MacOs but you will need to install OpenSSL on Windows.
See the following official link to install it on Windows: https://wiki.openssl.org/index.php/Binaries

Curl is also natively included in MacOS and Linux. You can install it on Windows, the installer is available at https://curl.haxx.se/

Command line: Remotely checking the certificate validity

From a remote host, like your own computer, you can connect to your server and get useful output with the following commands:

curl -v https://<SERVER_NAME>

Among the output, you should get 'SSL certificate verify ok' or a useful error message:

* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
*  start date: Jan 10 10:42:09 2018 GMT
*  expire date: Apr  4 09:41:00 2018 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Google Trust Services; CN=Google Internet Authority G3
*  SSL certificate verify ok.

The equivalent with openssl:

openssl s_client -connect <SERVER_NAME>:443 -showcerts -servername <SERVER_NAME>

And a good result would be:

Verify return code: 0 (ok)
---

Command line: Locally checking the certificate validity

If you are on the server itself, you can use the localhost address like this:

curl -v -H "Host: <SERVER_NAME>" https://127.0.0.1

openssl s_client -connect 127.0.0.1:443 -showcerts -servername <SERVER_NAME>

Command line: Checking the expiry date of a certificate with openssl

echo | openssl s_client -servername <SERVER_NAME> -connect <SERVER_NAME>:443 | openssl x509 -noout -dates

example:

$ echo | openssl s_client -servername www.google.com -connect www.google.com:443 | openssl x509 -noout -dates
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
notBefore=Jan 10 10:42:09 2018 GMT
notAfter=Apr  4 09:41:00 2018 GMT

Connecting with a Client Certificate

If you have a certificate / private key in the file name Client_cert.p12. You can use it as a Client SSL Certificate with curl and its option "--cert". See curl man page for more details.

curl -v --cert ./Client_cert.p12 https://<SERVER_NAME>/order-service/order

Connecting with Certificate Authority (CA) or intermediate certificates to complete the chain

In the following example, CA_Cert.pem contains Certificate Authority Certificate(s). If it complete the SSL Chain of certificates, you won't get an error any more.
It is a convenient way to discover which Certificates must be added to your Client programs in order to have a successful SSL handshake.
The file may contain multiple CA certificates. The certificate(s) must be in PEM format.

curl -v --cacert ./CA_Cert.pem https://<SERVER_NAME>/order-service/order

Sending a JSON request with CURL and see if we get the expected result

curl -v -X POST -H "content-type: application/json" https://<SERVER_NAME>/order-service/order -d \
'Request: {
"requestContext": {
"shipTo": "000000000",
"timeZone": "-180",
"langCode": "en"
},
"SalesDate": "12/11/17",
"Language": "ENG",
"DeliveryPreference": "E",
"purchaseOrderNumber": "12345",
"customerEmail": "noone@nobody.com"
}'

Combining all of the above (CA, Client Certificate, JSON Request)

You can combine most of the options we saw for curl.
In the example below, you will send a JSON request, with your Client Certificate / private Key and add a CA Certificate and the intermediaries

curl -v --cacert ./CA_Cert.pem --cert ./Client_cert.p12 -X POST -H "content-type: application/json" https://<SERVER_NAME>/order-service/order -d \
'Request: {
"requestContext": {
"shipTo": "000000000",
"timeZone": "-180",
"langCode": "en"
},
"SalesDate": "12/11/17",
"Language": "ENG",
"DeliveryPreference": "E",
"purchaseOrderNumber": "12345",
"customerEmail": "noone@nobody.com"
}'

SSL certificate verification

GOAL