Secure Sockets Layer (SSL)
Certificates
Read the certificate chain a server presents:
openssl s_client -showcerts -servername www.google.com -connect www.google.com:443 </dev/null
-servername sends the SNI name so a host serving several sites returns the right certificate,
and -showcerts prints every certificate in the chain, not just the leaf. Add
| openssl x509 -noout -subject -issuer -dates to a piped s_client to read just the subject,
issuer and validity window.
Generate a self-signed certificate and its key in one command (handy for local testing):
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN=example.local"
-nodes leaves the key unencrypted (no passphrase prompt), -subj fills the subject
non-interactively, and -days sets the validity. Inspect the result with
openssl x509 -in cert.pem -noout -subject -dates.
For a full certificate authority setup (root CA, intermediate, signing), see the OpenSSL documentation.
Verified on OpenSSL 3.x: the s_client chain read, the self-signed generation, and the x509
inspection all run as shown.