Back to commands

Linux Survival Basics

Read-only, sensitive output

Show Served Certificate SANs

You need the Subject Alternative Name list from the served certificate.

Command

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName

Before you run this

System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.

When not to use it: Do not assume CN is enough on modern TLS clients.

Expected output

A DNS name list from the certificate SAN extension.

System impact

Read-only, sensitive output. Nothing changes. The command reads current state and prints diagnostic evidence.

Recovery / rollback: no state is changed.

When to use it

Use when the cert appears valid but not for this hostname.

When not to use it

Do not assume CN is enough on modern TLS clients.

Common misread

Do not assume CN is enough on modern TLS clients.

Example run

Commands shown

These are the commands shown for inspection. Treat them as an example, not proof that your system will behave identically.

  1. openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName
  2. openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName

next steps

Related commands

Linux Survival Basics Sensitive output

Read TLS Certificate Subject and Issuer

The certificate can be valid but issued for the wrong name.

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Web Server Rescue Sensitive output

Check the Certificate Served for SNI

The IP was right. The SNI name selected the wrong certificate.

openssl s_client -connect example.com:443 -servername www.example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Web Server Rescue Sensitive output

Show TLS Certificate Names

The cert was valid, but not for this hostname.

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
Web Server Rescue Sensitive output

Show TLS Certificate Dates

The outage was not the web server. The edge certificate had expired.

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates
Web Server Rescue Sensitive output

Show TLS Protocol and Cipher

The certificate was fine. The TLS negotiation told the rest of the story.

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | awk '/Protocol|Cipher|Verify return code/ {print}'

next diagnostic step

Where to go from this command

Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • LPIC-1 style command-line practice
  • LFCS style performance-task practice
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.