You can verify an SSL certificate using the OpenSSL command-line tool. Here’s an example of how you can verify a certificate:
openssl s_client -connect yourdomain.com:443
This will establish a connection to the domain yourdomain.com on port 443 (which is the default port for HTTPS) and display information about the SSL certificate that the server presents, including the subject, issuer, and expiration date.
If the certificate is valid and trusted, you should see output similar to the following:
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 CN = yourdomain.com
verify return:1
Certificate chain
0 s:/CN=yourdomain.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=yourdomain.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 3244 bytes and written 442 bytes
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
...
Start Time: 1614047142
Timeout : 7200 (sec)
Verify return code: 0 (ok)
If the certificate is not valid or not trusted, you will see an error message indicating the problem. For example:
depth=0 CN = yourdomain.com
verify error:num=20:unable to get local issuer certificate
verify return:0
In this case, the certificate cannot be verified because the local system doesn’t have the root certificate that issued the certificate. You will need to obtain and install the missing root certificate in order to verify the certificate. (https://www.redmanpowerchair.com/)