On Thu, Sep 30, 2021 at 11:26:14AM -0700, nate wrote:
> > This is *not* the correct way to see all the expiration dates in the
> > chain. It will show only the leaf certificate dates. The right
> > incantation is:
> >
> > $ openssl s_client -connect bad_server_name:443 -servername bad_server_name |
> > openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
> > openssl pkcs7 -print_certs -noout -text |
> > egrep 'not(Before|After)'
>
> At least in this case the command you supplied appears to provide less
> information:
>
> (OpenSSL 1.0.2g)
> depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify error:num=10:certificate has expired
> notAfter=Sep 30 14:01:15 2021 GMT
Ah, you also need to add "-showcerts" to s_client and best to separate
stdout and stderr in order to avoid confusion due to error text leaking
through, sender stderr to /dev/null:
$ openssl s_client -showcerts \
-connect bad_server_name:443 \
-servername bad_server_name 2>/dev/null |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -noout -text |
egrep 'not(Before|After)'
or write the errors to a separate file.
> (OpenSSL 1.0.2g with -trusted_first option)
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = bad_server_name
> verify return:1
Good.
> (OpenSSL 1.1.1f)
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = bad_server_name
> verify return:1
Ditto.
> Is there a command sequence that could get openssl to show all dates in
> the tree whether it is being served by the server or checked in the
> local trusted store?
The "crl2pkcs7 -nocrl -certfile /dev/stdin" command piped to
"pkcs7 -print_certs -text" is how to see the full chain.
> I assume your command is intended to do that, but
> it doesn't for me.
I neglected to suggest "-showcerts".
--
Viktor.
