Linux Survival Basics
Read-only, sensitive outputRead TLS Certificate Subject and Issuer
You need the served certificate subject, issuer, and expiry before changing Nginx or Certbot config.
Command
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Before you run this
System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.
When not to use it: Do not paste certificate diagnostics publicly without redacting internal hostnames.
Expected output
Subject, issuer, notBefore, and notAfter fields for the certificate served by the endpoint.
System impact
Read-only, sensitive output. Nothing changes. The command reads current state and prints diagnostic evidence.
Recovery / rollback: no state is changed.
When to use it
Use when a browser reports a certificate name, issuer, or expiry mismatch.
When not to use it
Do not paste certificate diagnostics publicly without redacting internal hostnames.
Common misread
Do not paste certificate diagnostics publicly without redacting internal hostnames.
Example run
Commands shown
These are the commands shown for inspection. Treat them as an example, not proof that your system will behave identically.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -datesopenssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
next steps
Related commands
Show Served Certificate SANs
SANs decide which hostnames the certificate covers.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName
Show TLS Certificate Dates
The outage was not the web server. The edge certificate had expired.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates
Check the Certificate Served for SNI
The IP was right. The SNI name selected the wrong certificate.
openssl s_client -connect example.com:443 -servername www.example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Show TLS Certificate Names
The cert was valid, but not for this hostname.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Show TLS Protocol and Cipher
The certificate was fine. The TLS negotiation told the rest of the story.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | awk '/Protocol|Cipher|Verify return code/ {print}'
next diagnostic step
Where to go from this command
- Related problem hub Use this command as part of the repair path.
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.