Back to commands

Linux Survival Basics

Read-only, sensitive output

Read TLS Certificate Subject and Issuer

You need the served certificate subject, issuer, and expiry before changing Nginx or Certbot config.

Command

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates

Before you run this

System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.

When not to use it: Do not paste certificate diagnostics publicly without redacting internal hostnames.

Expected output

Subject, issuer, notBefore, and notAfter fields for the certificate served by the endpoint.

System impact

Read-only, sensitive output. Nothing changes. The command reads current state and prints diagnostic evidence.

Recovery / rollback: no state is changed.

When to use it

Use when a browser reports a certificate name, issuer, or expiry mismatch.

When not to use it

Do not paste certificate diagnostics publicly without redacting internal hostnames.

Common misread

Do not paste certificate diagnostics publicly without redacting internal hostnames.

Example run

Commands shown

These are the commands shown for inspection. Treat them as an example, not proof that your system will behave identically.

  1. openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
  2. openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates

next steps

Related commands

Linux Survival Basics Sensitive output

Show Served Certificate SANs

SANs decide which hostnames the certificate covers.

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName
Web Server Rescue Sensitive output

Show TLS Certificate Dates

The outage was not the web server. The edge certificate had expired.

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates
Web Server Rescue Sensitive output

Check the Certificate Served for SNI

The IP was right. The SNI name selected the wrong certificate.

openssl s_client -connect example.com:443 -servername www.example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Web Server Rescue Sensitive output

Show TLS Certificate Names

The cert was valid, but not for this hostname.

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Web Server Rescue Sensitive output

Show TLS Protocol and Cipher

The certificate was fine. The TLS negotiation told the rest of the story.

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | awk '/Protocol|Cipher|Verify return code/ {print}'

next diagnostic step

Where to go from this command

Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • LPIC-1 style command-line practice
  • LFCS style performance-task practice
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.