OpenSSL will allow you to look at it if it is installed on your system, using the OpenSSL x509 tool.

openssl x509 -noout -text -in 'cerfile.cer';

The format of the .CER file might require that you specify a different encoding format to be explicitly called out.

openssl x509 -inform pem -noout -text -in 'cerfile.cer';

or

openssl x509 -inform der -noout -text -in 'cerfile.cer';

On Windows systems you can right click the .cer file and select Open. That will then let you view most of the meta data.

On Windows you run Windows certificate manager program using certmgr.msc command in the run window. Then you can import your certificates and view details.

Answer from Helvick on serverfault.com
🌐
Server Fault
serverfault.com › questions › 215606 › how-do-i-view-the-details-of-a-digital-certificate-cer-file
openssl - How do I view the details of a digital certificate .cer file? - Server Fault
Top answer
1 of 7
456

OpenSSL will allow you to look at it if it is installed on your system, using the OpenSSL x509 tool.

openssl x509 -noout -text -in 'cerfile.cer';

The format of the .CER file might require that you specify a different encoding format to be explicitly called out.

openssl x509 -inform pem -noout -text -in 'cerfile.cer';

or

openssl x509 -inform der -noout -text -in 'cerfile.cer';

On Windows systems you can right click the .cer file and select Open. That will then let you view most of the meta data.

On Windows you run Windows certificate manager program using certmgr.msc command in the run window. Then you can import your certificates and view details.

2 of 7
52

If you're using Windows, you can use console util (PowerShell or Command Prompt)

certutil -dump C:\path\certfile.cer
🌐
Stack Overflow
stackoverflow.com › questions › 7885785 › using-openssl-to-get-the-certificate-from-a-server
linux - Using openssl to get the certificate from a server - Stack Overflow
Top answer
1 of 16
738

With SNI

If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) you will need to send the correct hostname in order to get the right certificate.

openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null

If you get an error similar to xxx:error:xxx:BIO routines:BIO_lookup_ex:system lib:crypto/bio/bio_addr.c:758:nodename nor servname provided, or not known connect:errno=0, execute the same command without www as the domain may not support it.

You may also get Secure Renegotiation IS NOT supported behind a corporate firewall in which case, a temporary (but dangerous) workaround is the -legacy_renegotiation parameter that can be added to the above command.

Without SNI

If the remote server is not using SNI, then you can skip -servername parameter:

openssl s_client -showcerts -connect www.example.com:443 </dev/null

To view the full details of a site's cert you can use this chain of commands as well:

$ echo | \
    openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \
    openssl x509 -text
2 of 16
135

A one-liner to extract the certificate from a remote server in PEM format, this time using sed:

openssl s_client -connect www.google.com:443 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
Videos
02:55
🌐 YouTube
how to view website ssl certificate dns entires using openssl - ...
October 13, 2021
03:31
🌐 YouTube
Check SSL certificate with OpenSSL Command - YouTube
October 3, 2021
3.84K
11:38
🌐 YouTube
Looking inside an SSL Certificate with OpenSSL - YouTube
February 14, 2022
02:39
🌐 YouTube
OpenSSL as a Tool for Validating certificates - YouTube
August 5, 2019
18:24
🌐 YouTube
Using OpenSSL With Ed Harmoush, Part 5: Inspecting Certificates: ...
June 9, 2022
11:38
🌐 YouTube
Looking inside an SSL Certificate with OpenSSL
February 14, 2022
View all
View all
🌐
SSLShopper
sslshopper.com › article-most-common-openssl-commands.html
The Most Common OpenSSL Commands
If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker. Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key · openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa ...
🌐
IBM
ibm.com › support › pages › openssl-commands-check-and-verify-your-ssl-certificate-key-and-csr
OpenSSL commands to check and verify your SSL certificate, key and CSR
OpenSSL commands to check and verify your SSL certificate, key and CSR
🌐
SSL Dragon
ssldragon.com › home › blog › advanced ssl › how to check an ssl certificate in linux with openssl
How to Check a Certificate with OpenSSL - SSL Dragon
October 27, 2025 - To verify if the public and private keys match, you need to extract the public key from each file and generate a hash output for it. All three files should share the same public key and the same hash value. Here’s how to use OpenSSL to check certificates and key details.
🌐
Pleasant Solutions
pleasantpasswords.com › info › pleasant-password-server › b-server-configuration › 3-installing-a-3rd-party-certificate › openssl-commands
OpenSSL Commands - Pleasant Solutions
If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key · openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5
🌐
Xolphin
xolphin.com › support › manuals › openssl
Frequently used OpenSSL Commands
Check an SSL connection. All certificates (also intermediate certificates) should be displayed. openssl s_client -connect www.paypal.com:443
🌐
OpenSSL
docs.openssl.org › 3.1 › man1 › openssl-verification-options
openssl-verification-options - OpenSSL Documentation
Currently predefined purposes are sslclient, sslserver, nssslserver, smimesign, smimeencrypt, crlsign, ocsphelper, timestampsign, and any. If peer certificate verification is enabled, by default the TLS implementation and thus the commands openssl-s_client(1) and openssl-s_server(1) check for ...
Find elsewhere
🌐
Ping Identity
docs.pingidentity.com › solution-guides › standards_and_protocols_use_cases › htg_use_openssl_to_test_ssl_connectivity.html
Using OpenSSL s_client commands to test SSL connectivity | Use Cases
In the command line, enter openssl s_client -connect <hostname>:<port>. This opens an SSL connection to the specified hostname and port and prints the SSL certificate. Check the availability of the domain from the connection results.
🌐
Dell
dell.com › home › support home › knowledge base article
PowerEdge: How to Check, Validate, and Convert SSL Certificate Using OpenSSL and Keytool Commands | Dell Canada
July 18, 2025 - How to check, validate, and convert SSL certificates using OpenSSL and Keytool. This article includes commands for PEM, DER, PKCS12, and certificate fingerprint checks.
🌐
Warp
warp.dev › terminus › openssl-check-certificate
Warp: How To Verify A Certificate With OpenSSL
January 31, 2024 - If you’re using Warp as your ... ... Entering check certificate expiration openssl in the AI Command Search will prompt an openssl command that can then quickly be inserted into your shell by doing CMD+ENTER...
🌐
OpenSSL
docs.openssl.org › 3.0 › man1 › openssl-verify
openssl-verify - OpenSSL Documentation
See "Trusted Certificate Options" in openssl-verification-options(1) for details. -allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks
🌐
Stack Exchange
unix.stackexchange.com › questions › 16226 › how-can-i-verify-ssl-certificates-on-the-command-line
How can I verify SSL certificates on the command line? - Unix & Linux Stack Exchange
Top answer
1 of 6
108

Assuming your certificates are in PEM format, you can do:

openssl verify cert.pem

If your "ca-bundle" is a file containing additional intermediate certificates in PEM format:

openssl verify -untrusted ca-bundle cert.pem

If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs), then you can use -CApath or -CAfile to specify the CA.

2 of 6
29

Here is one-liner to verify a certificate chain:

openssl verify -verbose -x509_strict -CAfile ca.pem -CApath nosuchdir cert_chain.pem

This doesn't require to install CA anywhere.

See https://stackoverflow.com/questions/20409534/how-does-an-ssl-certificate-chain-bundle-work for details.

Update

As noted by Klaas van Schelven, the answer above is misleading as openssl appears to verify only single top certificate per file. So it's necessary to issue multiple verify commands for each certificate chain node placed in separate file.

🌐
Linux Handbook
linuxhandbook.com › check-certificate-openssl
How to Check Certificate with OpenSSL
March 4, 2024 - The openssl command can also be used to verify a Certificate and CSR(Certificate Signing Request). For verifying a crt type certificate and to get the details about signing authority, expiration date, etc., use the command: ... You can use the ...
🌐
Liquid Web
liquidweb.com › home › guide to testing an ssl connection using openssl
Test an SSL Connection Using OpenSSL s_client | Liquid Web
March 12, 2025 - The Subject Alternative Name (SAN) in a certificate allows for securing multiple domains with just one certificate. You can check it by piping the s_client output into an x509 command. Here is the appropriate syntax. $ echo | openssl s_client -connect example.org:443 2>/dev/null | openssl x509 -noout -ext subjectAltName
🌐
Sectigo
sectigo.com › faqs › detail › How-do-I-verify-that-a-private-key-matches-a-certificate-OpenSSL-1527076112539 › kA01N000000zFTR
How do I verify that a private key matches a certificate? (OpenSSL) ...
July 5, 2021 - To verify the consistency of the RSA private key and to view its modulus: openssl rsa -modulus -noout -in myserver.key | openssl md5 openssl rsa -check -noout -in myserver.key RSA Key is ok
🌐
Yourwebhoster
help.yourwebhoster.eu › en › support › solutions › articles › 80000949039-how-to-verify-ssl-certificates-with-openssl-on-command-line
How to verify SSL certificates with OpenSSL on Command Line : Yourwebhoster.eu
To make sure that you have installed the SSL certificate correctly, we have have compiled a cheatsheet with OpenSSL commands to verify that multiple protocols use the correct certificate. Enter the domain you want to check here: {INPUT:ser...
🌐
Stack Overflow
stackoverflow.com › questions › 25482199 › verify-a-certificate-chain-using-openssl-verify
Verify a certificate chain using openssl verify - Stack Overflow
Top answer
1 of 10
309

From verify documentation:

If a certificate is found which is its own issuer it is assumed to be the root CA.

In other words, root CA needs to be self signed for verify to work. This is why your second command didn't work. Try this instead:

openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

It will verify your entire chain in a single command.

2 of 10
83

That's one of the few legitimate jobs for cat:

openssl verify -verbose -CAfile <(cat Intermediate.pem RootCert.pem) UserCert.pem

Update:

As Greg Smethells points out in the comments, this command implicitly trusts Intermediate.pem. I recommend reading the first part of the post Greg references (the second part is specifically about pyOpenSSL and not relevant to this question).

In case the post goes away I'll quote the important paragraphs:

Unfortunately, an "intermediate" cert that is actually a root / self-signed will be treated as a trusted CA when using the recommended command given above:

$ openssl verify -CAfile <(cat geotrust_global_ca.pem rogue_ca.pem) fake_sometechcompany_from_rogue_ca.com.pem fake_sometechcompany_from_rogue_ca.com.pem: OK

It seems openssl will stop verifying the chain as soon as a root certificate is encountered, which may also be Intermediate.pem if it is self-signed. In that case RootCert.pem is not considered. So make sure that Intermediate.pem is coming from a trusted source before relying on the command above.

🌐
Server Fault
serverfault.com › questions › 1011294 › how-to-view-certificate-chain-using-openssl
How to view certificate chain using openssl - Server Fault
Top answer
1 of 8
50

Use showcerts:

openssl s_client -showcerts -connect www.serverfault.com:443

Output with some information removed for brevity:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.stackexchange.com
verify return:1
---
Certificate chain
 0 s:/CN=*.stackexchange.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
*REMOVED*
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
*REMOVED*
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.stackexchange.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
2 of 8
15

From a certificate bundle, you can use crl2pkcs7 that is not limited to a CRL:

openssl crl2pkcs7 -nocrl -certfile server_bundle.pem | openssl pkcs7 -print_certs -noout

From a live server, we need an additional stage to get the list:

echo | openssl s_client -connect host:port [-servername host] -showcerts | openssl crl2pkcs7 -nocrl | openssl pkcs7 -noout -print_certs

Use the -servername parameter in case your host serves multiple domains to get the right certificate.