MoonPoint Support Logo


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals

Advanced Search
Sun Mon Tue Wed Thu Fri Sat
16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
JanFeb Mar
Apr May Jun
Jul Aug Sep
Oct Nov Dec

Sun, Mar 12, 2017 10:57 pm

Let's Encrypt certificate expired

A couple of days ago, a user showed me a message she saw on her system about a security certificate issue. When I looked at the message, I realized it was due to the expiration of the Let's Encrypt certificate on the email server used by her system. I logged into that system and queried the server with the openssl command to check the expiration date. I saw it had expired that day, March 10.

# echo "quit" | openssl s_client -connect -quiet
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN =
verify error:num=10:certificate has expired
notAfter=Mar 10 19:53:00 2017 GMT
verify return:1
depth=0 CN =
notAfter=Mar 10 19:53:00 2017 GMT
verify return:1
+OK Dovecot ready.

From the root account, I renewed the certificate using the command letsencrypt renew.

[ More Info ]

[/security/encryption/openssl] permanent link

Mon, Jan 30, 2017 10:49 pm

Checking a website's security certificate with OpenSSL

You can use OpenSSL, which is commonly installed on Mac OS X and Linux systems and which is also available for other operating systems (the source code can be downloaded from OpenSSL Downloads and a Windows implementation is available at OpenSSL for Windows), to check the security certificate of a website using an openssl command in the form openssl s_client -showcerts -connect fqdn:port where fqdn is the fully qualified domain name (FQDN) of the website and port is the port that the website is listening on for HTTPS connections, which is usually well-known port 443, though it may sometimes be another port, such as the registered port 8443. The showcerts option instructs openssl to show all certificates in the public key certificate chain.

[ More Info ]

[/security/encryption/openssl] permanent link

Wed, Jan 25, 2017 11:08 pm

Extracting information from a pem file

The X.509 standard is used to manage digital certificates used for public key encryption. One of the filename extensions used for X.509 certificates is .pem, which stands for "Privacy Enhanced Mail". These certificates are Base64 encoded DER certificates. If you have a .pem certificate and want to view information about the contents of the certificate, you can do so with OpenSSL software, which is commonly found on Linux and Mac OS X systems, but is available for other operating systems as well. If you just want to view the expiration date for a certificate you can use an openssl command like the one below:

$ openssl x509 -enddate -noout -in cacert.pem
notAfter=Aug 13 23:59:00 2018 GMT

[ More Info ]

[/security/encryption/openssl] permanent link

Sun, Sep 11, 2016 5:05 pm

Let's Encrypt certificate for email server expired

A user sent me a screen shot she took with her phone of a message she saw while checking her email with Microsoft Outlook 2016 which stated:

Internet Security Warning

The server you are connected to is using asecurity certificate
that cannot be verified.

A required certificate is not within its validity period when
verifying against the current system clock or the timestamp in
the signed file.

Do you want to continue using this server?


[ More Info ]

[/security/encryption/openssl] permanent link

Mon, Jun 13, 2016 10:37 pm

Using OpenSSL to verify a security certificate for an email server

You can use an OpenSSL s_client -connect command to check a certificate on a remote server by specifying the remote system in the form x.x.x.x:port where x.x.x.x is the IP address of the remote system and port is the relevant port or you can use the fully qualified domain name (FQDN) in place of the IP address. E.g., I used the command below to check the status of a certificate I obtained from Let's Encrypt, a "certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites." The server I checked functions as a POP3S server using port 995, so that was the port I specified.

[ More Info ]

[/security/encryption/openssl] permanent link

Sun, Oct 13, 2013 10:10 pm

Verifying an SSL Certificate

If you have an SSL certificate on a Linux or Unix system, you can check it using the openssl command with openssl verify /path_to_certificate/certificate, e.g., as below:
# openssl verify /etc/ssl/certs/example.crt
/etc/ssl/certs/example.crt: /C=US/
error 18 at 0 depth lookup:self signed certificate

In the case above, the country specified with the domain is the United States as shown by /C=US and the common name specified for the domain when the certificate was created and for which the certificate should be valid is as shown by /

The certificate is self-signed, which results in the error 18 message.

The dates for which the certificate is valid can be specified with openssl x509 -in /path_to_certificate/certificate -text | grep Not as shown below:

# openssl x509 -in /etc/ssl/certs/example.crt -text | grep Not
            Not Before: Oct 11 21:06:30 2013 GMT
            Not After : Oct 11 21:06:30 2014 GMT

In the case above, the certificate is valid from October 11, 2013 through October 11, 2014. After October 11, 2014, anyone visiting the website for which the certificate was used for HTTPS connections will be warned by his/her browser that there is a problem with the certificate because it will have expired.

X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.


  1. OpenSSL: The Open Source toolkit for SSL/TLS
  2. Troubleshooting with openssl
    Date: February 11, 2010
    MoonPoint Support

[/security/encryption/openssl] permanent link

Fri, Feb 12, 2010 3:57 pm

Using OpenSSL to calculate Message Digest

The md5sum command can be used to calculate an MD5 message digest (MD5 is an abbreviation for "Message-Digest algorithm 5"), which is a cryptographic hash function. The md5sum program is commonly found on Linux systems and programs which the provide the same functionality are also available for Microsoft Windows systems, e.g. digestIT 2004. But, if such a program isn't present on a system, e.g. an OS X system, but OpenSSL is present, you can use the openssl command to obtain message digests, which can allow you to verify that a file, such as an executable file, was not changed since it was released by the originator.

If you issue the command openssl dgst filename, openssl will, by default, provide the MD5 checksum for the file. You can also use other cryptographic hash functions, such as SHA, SHA1, MD2, or you can specify MD5.

$ openssl dgst
MD5( 796faa884fb0125eda60cd5e8aa8daa1
$ openssl md5
MD5( 796faa884fb0125eda60cd5e8aa8daa1
$ openssl sha1
SHA1( 3070ac89b7a4327e217045b1cac790c1dc048d8f
$ openssl sha
SHA( 021e35f63c55e22355bea99f73df885659a46d15
$ openssl md2
MD2( 47bd3f0cc33710997f2fe57b1f7cc2c5

The available message digest options include the following:


       md2       MD2 Digest

       md5       MD5 Digest

       mdc2      MDC2 Digest

       rmd160    RMD-160 Digest

       sha       SHA Digest

       sha1      SHA-1 Digest

       sha224    SHA-224 Digest

       sha256    SHA-256 Digest

       sha384    SHA-384 Digest

       sha512    SHA-512 Digest

[/security/encryption/openssl] permanent link

Thu, Feb 11, 2010 6:02 pm

Troubleshooting with openssl

You can use the command openssl s_client -connect command, where is the IP address of the server and yyyyy is the port number on the server used for HTTPS. The port is usually 443, but does not have to be that port. You can, of course, also use a fully qualified domain name (FQDN), such as, instead of an IP address.

By using the command, one can determine if a system is responding correctly using the HTTPS protocol. E.g. below is an example of a query issued against

$ openssl s_client -connect
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/
verify return:1
Certificate chain
 0 s:/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at (c)09/CN=VeriSign Class 3 Secure Server CA - G2
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at (c)09/CN=VeriSign Class 3 Secure Server CA - G2
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
Server certificate
subject=/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at (c)09/CN=VeriSign Class 3 Secure Server CA - G2
No client certificate CA names sent
SSL handshake has read 3029 bytes and written 308 bytes
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: E24FE41E08BCBB5246EE5EAC08E7E4ACBB4708F0CD0089E9EF602E4F3C435922
    Master-Key: FFF8BF97F79796457EE44860212C5F887FFE8F62F4A6FC908DB1A382489BE5C2963C2D5F84BC526911FA5EB096634603
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1262641575
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

You can check the expiration date of an SSL certificate by first retrieving the certificate using commands such as in the first line below. You can then check the expiration date with a command such as the one on the next line, which shows that the current certificate for PayPal expires at midnight Greenwich Mean Time (GMT) on June 11, 2010.

$ echo "" | openssl s_client -connect > certificate
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Net
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/
verify return:1
$ openssl x509 -in certificate -noout -enddate
notAfter=Jun 11 23:59:59 2010 GMT

Another example below shows the results returned for a self-signed certificate:

# echo "" | /usr/local/ssl/bin/openssl s_client -connect > certi
depth=0 /C=EU/ST=SomeState/L=SomeCity/O=SomeOranization/OU=SomeOrganizationUnit/
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=EU/ST=SomeState/L=SomeCity/O=SomeOranization/OU=SomeOrganizationUnit/
verify return:1
# /usr/local/ssl/bin/openssl x509 -in certificate -noout -enddate
notAfter=Feb 12 11:44:04 2018 GMT


  1. OpenSSL: Documents, s_client(1)
    OpenSSL: The Open Source toolkit for SLS/TLS
  2. When does my certificate expire? -- Linux, Solaris, and general UNIX notes.

[/security/encryption/openssl] permanent link

Once You Know, You Newegg AliExpress by

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo