问题
Are there any tools or mechanism(s) which can help validate a CA issued SSL certificate before installing it on the target web server?
回答1:
Yes, you can use openssl to create a test server for your certificate with the s_server command. This creates a minimal SSL/TLS server that responds to HTTP requests on port 8080:
openssl s_server -accept 8080 -www -cert yourcert.pem -key yourcert.key -CAfile chain.pem
yourcert.pem is the X.509 certificate, yourcert.key is your private key and chain.pem contains the chain of trust between your certificate and a root certificate. Your CA should have given you yourcert.pem and chain.pem.
Then use openssl's s_client to make a connection:
openssl s_client -connect localhost:8080 -showcerts -CAfile rootca.pem
or on Linux:
openssl s_client -connect localhost:8080 -showcerts -CApath /etc/ssl/certs
Caution: That command doesn't verify that the host name matches the CN (common name) or SAN (subjectAltName) of your certificate. OpenSSL doesn't have a routine for the task yet. It's going to be added in OpenSSL 1.1.
回答2:
The best and easiest way to validate the SSL issued by your CA is to decode it.
Here is a helpful link the will help you do that: http://www.sslshopper.com/csr-decoder.html
Hope this helps!
来源:https://stackoverflow.com/questions/19089644/is-there-a-way-to-check-if-the-ssl-digital-certificate-is-valid-without-installi