Ssl Tools

Certificates

Verify site certificates

 openssl s_client -showcerts -connect server1.domainxy.com:443 -servername server1.domainxy.com

Verify site certificates - using CA trustore

 openssl s_client -showcerts -connect server1.domainxy.com:443 -servername server1.domainxy.com -CAfile CA.pem

Get site certificates

 echo | openssl s_client -connect services.gradle.org:443  -showcerts  2>/dev/null| sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' -e  '/i:/ p' -e '/s:/ p'

Split site certificates to pem files by certificate

 echo | openssl s_client -connect services.gradle.org:443  -showcerts  2>/dev/null| sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' -e  '/i:/ p' -e '/s:/ p' |awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1}  {if(length($0) > 0) print > "cert" n ".pem"}'

Rename pem files in to certificate common name

for cert in *.pem; do newname=$(openssl x509 -noout -subject -in $cert |grep -Po 'CN=\K([a-zA-Z0-9_\-\.]+)' ).pem; mv $cert $newname; done

Import pem to java cacert keystore in Windows

keytool -import -trustcacerts -keystore c:\bin\Java\jdk1.8.0_102\jre\lib\security\cacerts  -storepass changeit -alias <cert-alias> -import -file <pem-file-name>

List all installed CA certs

awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt

Apply CA to curl

export CURL_CA_BUNDLE=../CA.pem

Add ca CA to system trusted CA

sudo cp *.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
# usefull when docker installed
sudo systemctl restart docker
# daemon reload may be also required
sudo systemctl daemon-reload