Linux Survival Basics
Read-only, sensitive outputShow Served Certificate SANs
You need the Subject Alternative Name list from the served certificate.
Command
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName
Before you run this
System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.
When not to use it: Do not assume CN is enough on modern TLS clients.
Expected output
A DNS name list from the certificate SAN extension.
System impact
Read-only, sensitive output. Nothing changes. The command reads current state and prints diagnostic evidence.
Recovery / rollback: no state is changed.
When to use it
Use when the cert appears valid but not for this hostname.
When not to use it
Do not assume CN is enough on modern TLS clients.
Common misread
Do not assume CN is enough on modern TLS clients.
Example run
Commands shown
These are the commands shown for inspection. Treat them as an example, not proof that your system will behave identically.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltNameopenssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName
next steps
Related commands
Read TLS Certificate Subject and Issuer
The certificate can be valid but issued for the wrong name.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Check the Certificate Served for SNI
The IP was right. The SNI name selected the wrong certificate.
openssl s_client -connect example.com:443 -servername www.example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Show TLS Certificate Names
The cert was valid, but not for this hostname.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Show TLS Certificate Dates
The outage was not the web server. The edge certificate had expired.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates
Show TLS Protocol and Cipher
The certificate was fine. The TLS negotiation told the rest of the story.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | awk '/Protocol|Cipher|Verify return code/ {print}'
next diagnostic step
Where to go from this command
- Related problem hub Use this command as part of the repair path.
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.