Is there a way to check if the SSL digital certificate is valid without installing on the web server?

Question

Are there any tools or mechanism(s) which can help validate a CA issued SSL certificate before installing it on the target web server?

Answer 1

Yes, you can use openssl to create a test server for your certificate with the s_server command. This creates a minimal SSL/TLS server that responds to HTTP requests on port 8080:

openssl s_server -accept 8080 -www -cert yourcert.pem -key yourcert.key -CAfile chain.pem

yourcert.pem is the X.509 certificate, yourcert.key is your private key and chain.pem contains the chain of trust between your certificate and a root certificate. Your CA should have given you yourcert.pem and chain.pem.

Then use openssl's s_client to make a connection:

openssl s_client -connect localhost:8080 -showcerts -CAfile rootca.pem

or on Linux:

openssl s_client -connect localhost:8080 -showcerts -CApath /etc/ssl/certs

Caution: That command doesn't verify that the host name matches the CN (common name) or SAN (subjectAltName) of your certificate. OpenSSL doesn't have a routine for the task yet. It's going to be added in OpenSSL 1.1.

Answer 2

The best and easiest way to validate the SSL issued by your CA is to decode it.

Here is a helpful link the will help you do that: http://www.sslshopper.com/csr-decoder.html

Hope this helps!