Introduction
In general, you need 3 different files for an SSL Certificate : a private key for the server (.key or .pem), a certificate (.cer or .crt) given to the client for SSL-encryption, and the trust chain (.chain or .txt) that gives you a list of certificates, each signed by another, untill a root certificate you have installed on your computer.
The script I give you here is able to verify that all those 3 files are valid :
- The private key matches the certificate ;
- The trust chain is valid.
How it works
To verify your domain example.com, you need of course the 3 files mentioned above :
example.com.key: the private keyexample.com.cer: the certificateexample.com.chain.txt: the trust chain
The script will verify that the private key and certificate have the same signature (with openssl -modulus parameter), and verify the certificate chain with openssl verify.
The script
- #!/bin/sh
- DOMAIN="$1"
- if [ -z "$DOMAIN" ]; then
- echo "Usage : "$(basename "$0")" domain" >&2
- echo " Will check if \$domain.key, \$domain.cer and \$domain.chain.txt are correct" >&2
- exit 1
- fi
- # Check key and certificate modulus
- KEY_MOD=$(openssl rsa -noout -modulus -in ${DOMAIN}.key | openssl md5)
- CER_MOD=$(openssl x509 -noout -modulus -in ${DOMAIN}.cer | openssl md5)
- if [ "${KEY_MOD}" != "${CER_MOD}" ]; then
- echo "Error : key does not match certificate" >&2
- exit 2
- fi
- # Check certificate consistency
- openssl verify -CApath /etc/ssl/certs -CAfile ${DOMAIN}.chain.txt ${DOMAIN}.cer | grep -q "^${DOMAIN}.cer: OK$"
- if [ $? -ne 0 ]; then
- openssl verify -CApath /etc/ssl/certs -CAfile ${DOMAIN}.chain.txt ${DOMAIN}.cer >&2
- echo "Error while verifying certificate chain" >&2
- exit 3
- fi
- echo "Success"
- exit 0