You can examine the certificate to ensure that it conforms, using OpenSSL:
openssl s_client -connect server_name[:port] </dev/null
- server_name
- The directory server DNS name.
- port
- [Optional] The port where SSL listens.
This command produces output similar to the following example.
dlopldap:/etc/openldap/ssl/certs # openssl s_client -connect localhost:636 </dev/null CONNECTED(00000003) depth=0 /C=US/CN=dlopldap.tlr.example.com/emailAddress=dxr765@example.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/CN=dlopldap.tlr.example.com/emailAddress=dxr765@example.com verify return:1 --- Certificate chain 0 s:/C=US/CN=dlopldap.tlr.example.com/emailAddress=dxr765@example.com i:/C=US/CN=dlopldap.tlr.example.com/emailAddress=dxr765@example.com --- Server certificate -----BEGIN CERTIFICATE----- MIIC5DCCAk2gAwIBAgIJAMvJ4ZlaGSiNMA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNV BAYTAlVTMSEwHwYDVQQDExhkbG9wbGRhcC50ZC50ZXJhZGF0YS5jb20xJDAiBgkq hkiG9w0BCQEWFWRsMTYwMDEwQHRlcmFkYXRhLmNvbTAeFw0wODA1MTQxOTA4NDJa Fw0wOTA1MTQxOTA4NDJaMFYxCzAJBgNVBAYTAlVTMSEwHwYDVQQDExhkbG9wbGRh cC50ZC50ZXJhZGF0YS5jb20xJDAiBgkqhkiG9w0BCQEWFWRsMTYwMDEwQHRlcmFk YXRhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0QT6CP33QKHsxUWq jetyHWFtS2rnLPmpDK/tKj+O5Crv0pMlIXertRHy68swSBLm0w//xiVywwQkuA2w se8Q80lQlBUJkfl9etuNZCrMqjusL3fvSaQlpOpLZLFdICuN+xxuGCqOKuARyI5d 1UkWcQ6r9hlPCGHxXrKlgHRYRIcCAwEAAaOBuTCBtjAdBgNVHQ4EFgQUamJoMI9/ TTS59BUTF1EWoEseNAwwgYYGA1UdIwR/MH2AFGpiaDCPf000ufQVExdRFqBLHjQM oVqkWDBWMQswCQYDVQQGEwJVUzEhMB8GA1UEAxMYZGxvcGxkYXAudGQudGVyYWRh dGEuY29tMSQwIgYJKoZIhvcNAQkBFhVkbDE2MDAxMEB0ZXJhZGF0YS5jb22CCQDL yeGZWhkojTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAIUbbcrUG3Y0 VXdhAjlAKq95qryTeHE1wiDBmEe1UIC5KyyarGW9tA/sxaJ+9X/zrAwP1ymLn5n9 kIJt3gH7HjjrG1qzC7jRVoI0Yl/z+7QUKejGp0ph1gVl4VwFoRzxv+I2vIUuzyF3 dabR1Q0+lqgc1CHC001VEHEAK8v9k6q1 -----END CERTIFICATE----- subject=/C=US/CN=dlopldap.tlr.example.com/emailAddress=dxr765@example.com issuer=/C=US/CN=dlopldap.tlr.example.com/emailAddress=dxr765@example.com --- No client certificate CA names sent --- SSL handshake has read 906 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 1AC1C0A2959387177910D40DBC9EC81887C4A233D907F31BB8BA7EFA7E7E76D3 Session-ID-ctx: Master-Key: 7C6DE241910B1820882D0833976FE4BF4704F163905C7540569C07D5708218A00C542D1E6846DB65E2DE04FD6F0CEC1A Key-Arg : None Start Time: 1210794467 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- DONE
Explanation of the output:
- The example shows one certificate and includes the surrounding text.
- The output always shows certificates offered by a directory server between the BEGIN CERTIFICATE and END CERTIFICATE statements. A directory may offer more than one certificate, but only the first certificate is important to the SSL or TLS configuration
- Immediately following the END CERTIFICATE statement are two lines describing the issuer and the subject.
- The issuer is the identity of the certificate used to sign the certificate.
- The subject is the identity of the certificate:
/C=US/CN=dlopldap.tlr.example.com/emailAddress=dxr765@example.com
The CN attribute containing the value dlopldap.tlr.example.com identifies the verified certificate.
- When the issuer and subject of a certificate are the same, as in this example, the certificate is self-signed.
- The list of certificates offered by the directory server is called the certificate chain.