How do you verify a certificate of a given mail server?

Check the IMAPS service:

echo | openssl s_client -connect 2>&1 | \
sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
openssl x509 -text


echo | openssl s_client -connect -starttls smtp 2>&1 | \
sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
openssl x509 -text

You'll also see when the cert was issued as well as the expiration date. That's quite useful if you just replaced your cert and want to verify if the new one loads as desired.

Create a new private key:

openssl genrsa -aes128 -out 2048

Create a CSR with SHA-2:

openssl req -new -sha256 -key -out

View a CSR:

openssl req -in -text -verify -noout

Show Cert:

openssl x509 -text -in -noout

Show Fingerprint:

openssl x509 -noout -in -fingerprint -sha1

Bundle Intermediate with Cert
With some services, e.g. Postfix it is required to establish a trust chain with intermediate certificates. That's easy to acomplish: just cat (i.e. combine) the certs together with yours top, then intermediate and root bottom.

Here is an example with StartSSL's Class 1 Certs (which are free):

# your cert:
# intermediate class 1, sha256
# root ca, sha256
# concatenate (chain) the certs:
cat >>
cat ca-sha2.pem >>
networking/openssl.txt · Last modified: 2015-12 by tb
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready