Testing and Verification

Commands and procedures for testing and verifying TLS configurations on Bindplane collectors.

Testing TLS Connections with OpenSSL

OpenSSL's s_client tool is the standard for testing TLS connections. It allows you to inspect certificates, test handshakes, and debug TLS issues.

Basic Connectivity Test

Test that the TLS server is accepting connections:

openssl s_client -connect collector.example.com:10514

What to look for:

CONNECTED - TCP connection established
Certificate chain displayed
Verify return code: 0 (ok) - Certificate verified successfully
Or appropriate verification result based on your setup

To exit: Type CTRL-C or Q then ENTER

View Certificate Chain

See the complete certificate chain sent by the server:

openssl s_client -connect collector.example.com:10514 -showcerts

What this shows:

All certificates in the chain (server cert + intermediates)
Full PEM-encoded certificates
Certificate details for each cert in the chain

Useful for:

Verifying the server sends intermediate certificates
Checking certificate order
Debugging "Unknown CA" errors

Test Specific TLS Version

Test connectivity with a specific TLS version:

# Test TLS 1.2
openssl s_client -connect collector.example.com:10514 -tls1_2

# Test TLS 1.3
openssl s_client -connect collector.example.com:10514 -tls1_3

Expected results:

Connection succeeds if version is supported
Connection fails if version is not supported (below min_version or above max_version)

Test Cipher Suites

Test a specific cipher suite:

openssl s_client -connect collector.example.com:10514 \
  -cipher 'ECDHE-RSA-AES256-GCM-SHA384'

List supported cipher suites:

openssl s_client -connect collector.example.com:10514 -showcerts \
  2>&1 | grep "Cipher"

OpenSSL s_client Options Reference

Option

Description

-connect <host>:<port>

Server to connect to

-showcerts

Show all certificates in the chain

-CAfile <file>

CA certificate file for verification

-cert <file>

Client certificate file (for mTLS)

-key <file>

Client private key file (for mTLS)

-tls1_2

Use only TLS 1.2

-tls1_3

Use only TLS 1.3

-cipher <list>

Specify cipher suites to use

-servername <name>

Set SNI (Server Name Indication) hostname

-debug

Print debug information

-state

Print TLS session states

For complete OpenSSL s_client documentation, see: https://www.openssl.org/docs/man1.1.1/man1/s_client.html

Verifying Certificate and Key Match

It's critical to verify that your certificate and private key are a matching pair before deploying them.

Method 1: Compare Public Keys (Recommended)

This method extracts the public key from both files and compares them directly:

# Extract public key from the private key
openssl rsa -in server.key -pubout -out key_public.pem

# Extract public key from the certificate
openssl x509 -in server.crt -pubkey -noout -out cert_public.pem

# Compare the two public keys (no output = they match)
diff key_public.pem cert_public.pem

# Or compare file hashes (Linux/macOS)
md5sum key_public.pem cert_public.pem
# Hashes should be identical

# macOS alternative
md5 key_public.pem cert_public.pem

# Extract public keys
openssl rsa -in server.key -pubout -out key_public.pem
openssl x509 -in server.crt -pubkey -noout -out cert_public.pem

# Compare file hashes
(Get-FileHash key_public.pem).Hash -eq (Get-FileHash cert_public.pem).Hash
# Should return: True

Interpretation:

No output from diff = Files match
Identical hashes = Files match
Any difference = Files do NOT match

Method 2: Compare Modulus Hashes

This method compares the modulus values from both files:

# Get certificate modulus hash
openssl x509 -noout -modulus -in server.crt | openssl md5

# Get private key modulus hash
openssl rsa -noout -modulus -in server.key | openssl md5

# The MD5 hashes should be identical

Example output:

(stdin)= 8d4e2a5f9c8b3e1a7d6c4f2e8b9a5c3d  # Certificate modulus
(stdin)= 8d4e2a5f9c8b3e1a7d6c4f2e8b9a5c3d  # Key modulus (should match)

Best Practice

Use Method 1 (Compare Public Keys) as it's more reliable and works with all key types (RSA, ECDSA, Ed25519).

Certificate Inspection

View Certificate Details

Inspect all information in a certificate:

openssl x509 -in server.crt -text -noout

Key information shown:

Subject (who the certificate identifies)
Issuer (who signed the certificate)
Validity period (not before / not after dates)
Public key algorithm and size
Subject Alternative Names (SANs)
Key usage and extended key usage
Signature algorithm

Check Expiration Date

Quickly check when a certificate expires:

openssl x509 -in server.crt -noout -enddate

Example output:

notAfter=Jan 15 23:59:59 2025 GMT

Check both start and end dates:

openssl x509 -in server.crt -noout -dates

View Subject and Issuer

See who the certificate identifies and who issued it:

openssl x509 -in server.crt -noout -subject -issuer

Example output:

subject=CN = collector.example.com, O = Example Org
issuer=CN = Example Intermediate CA, O = Example Org

View Subject Alternative Names (SANs)

See all hostnames/IPs the certificate is valid for:

openssl x509 -in server.crt -noout -ext subjectAltName

Example output:

X509v3 Subject Alternative Name:
    DNS:collector.example.com, DNS:*.example.com, IP Address:192.168.1.10

Check Certificate Chain Order

When you have a chain file, verify the order:

# View all certificates in the chain
openssl certs -in fullchain.crt -text -noout

# Or use a more detailed approach
awk 'BEGIN {c=0} /BEGIN CERT/{c++} {print > "cert" c ".pem"}' fullchain.crt
openssl x509 -in cert1.pem -noout -subject -issuer
openssl x509 -in cert2.pem -noout -subject -issuer

# View all certificates in the chain
openssl certs -in C:\certs\fullchain.crt -text -noout

# Or use a more detailed approach - split chain into individual certs
$content = Get-Content C:\certs\fullchain.crt -Raw
$certs = [regex]::Matches($content, '(?s)(-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----)')
for ($i = 0; $i -lt $certs.Count; $i++) {
    $certs[$i].Value | Set-Content "cert$($i+1).pem"
}
openssl x509 -in cert1.pem -noout -subject -issuer
openssl x509 -in cert2.pem -noout -subject -issuer

Expected order:

First certificate: Server/leaf (subject = your server)
Second certificate: Intermediate CA (subject = intermediate, issuer = root or another intermediate)
Third certificate (optional): Root CA (subject = issuer = root CA)

Testing Mutual TLS (mTLS)

Test with Client Certificate

Test mTLS connection with a client certificate:

openssl s_client -connect collector.example.com:10514 \
  -cert client.crt \
  -key client.key \
  -CAfile server-ca.crt

What to look for:

CONNECTED - Connection established
Verify return code: 0 (ok) - Server certificate verified
Client certificate sent (shown in output)
Connection successful

Verify Unauthorized Clients Are Rejected

When using client_ca_file, test that connections without client certificates fail:

# This should fail with "certificate required" error
openssl s_client -connect collector.example.com:10514

Expected result:

Connection rejected during handshake
Error: certificate required or handshake failure
Exit code: non-zero

Debug Client Certificate Issues

Get detailed information about client certificate verification:

openssl s_client -connect collector.example.com:10514 \
  -cert client.crt \
  -key client.key \
  -CAfile server-ca.crt \
  -state \
  -debug

Options:

-state: Shows TLS protocol state transitions
-debug: Shows detailed protocol messages

Verify Client Certificate Against CA

Check that a client certificate is properly signed by the CA:

openssl verify -CAfile client-ca.crt client.crt

Expected output:

client.crt: OK

If verification fails:

unable to get issuer certificate - CA file doesn't contain the issuer
certificate has expired - Client certificate is expired
unable to get local issuer certificate - Missing intermediate CA

Platform-Specific Commands

Check Certificate Format

file certificate.crt
# PEM: "PEM certificate"
# DER: "DER encoded certificate"

View First Few Lines

head -n 5 certificate.crt

Calculate File Hashes

md5sum certificate.crt
sha256sum certificate.crt

Test OpenSSL Installation

openssl version

Automated Testing

Health Check Script

Create a simple health check script to verify TLS connectivity:

#!/bin/bash
# tls-health-check.sh

HOST="collector.example.com"
PORT="10514"
TIMEOUT=5

echo "Testing TLS connection to $HOST:$PORT..."

# Test connection with timeout
timeout $TIMEOUT openssl s_client -connect $HOST:$PORT </dev/null 2>&1 | \
  grep -q "Verify return code: 0 (ok)"

if [ $? -eq 0 ]; then
  echo "TLS connection successful"
  exit 0
else
  echo "TLS connection failed"
  exit 1
fi

# tls-health-check.ps1

$Host_ = "collector.example.com"
$Port = "10514"

Write-Host "Testing TLS connection to ${Host_}:${Port}..."

# Test connection
$result = echo "" | openssl s_client -connect "${Host_}:${Port}" 2>&1
if ($result -match "Verify return code: 0 \(ok\)") {
    Write-Host "TLS connection successful"
    exit 0
} else {
    Write-Host "TLS connection failed"
    exit 1
}

Usage:

chmod +x tls-health-check.sh
./tls-health-check.sh

Certificate Expiration Monitoring

Monitor certificate expiration dates:

#!/bin/bash
# cert-expiry-check.sh

CERT_FILE="server.crt"
WARNING_DAYS=30

# Get expiration date
EXPIRY_DATE=$(openssl x509 -in $CERT_FILE -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s 2>/dev/null || date -j -f "%b %d %T %Y %Z" "$EXPIRY_DATE" +%s)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $NOW_EPOCH) / 86400 ))

echo "Certificate expires: $EXPIRY_DATE"
echo "Days remaining: $DAYS_LEFT"

if [ $DAYS_LEFT -lt 0 ]; then
  echo "Certificate has EXPIRED"
  exit 2
elif [ $DAYS_LEFT -lt $WARNING_DAYS ]; then
  echo "Certificate expires in less than $WARNING_DAYS days"
  exit 1
else
  echo "Certificate is valid"
  exit 0
fi

# cert-expiry-check.ps1

$CertFile = "C:\certs\server.crt"
$WarningDays = 30

# Get expiration date
$expiryLine = openssl x509 -in $CertFile -noout -enddate
$expiryDate = [datetime]::Parse(($expiryLine -split "=")[1])
$daysLeft = ($expiryDate - (Get-Date)).Days

Write-Host "Certificate expires: $expiryDate"
Write-Host "Days remaining: $daysLeft"

if ($daysLeft -lt 0) {
    Write-Host "Certificate has EXPIRED"
    exit 2
} elseif ($daysLeft -lt $WarningDays) {
    Write-Host "Certificate expires in less than $WarningDays days"
    exit 1
} else {
    Write-Host "Certificate is valid"
    exit 0
}

Integration Testing

Test the full pipeline with sample data:

#!/bin/bash
# tls-integration-test.sh

HOST="collector.example.com"
PORT="10514"
MESSAGE="Test log message from integration test"

# Send test message over TLS
echo "$MESSAGE" | openssl s_client -connect $HOST:$PORT -quiet 2>/dev/null

if [ $? -eq 0 ]; then
  echo "Test message sent successfully"
else
  echo "Failed to send test message"
  exit 1
fi

# tls-integration-test.ps1

$Host_ = "collector.example.com"
$Port = "10514"
$Message = "Test log message from integration test"

# Send test message over TLS
$Message | openssl s_client -connect "${Host_}:${Port}" -quiet 2>$null

if ($LASTEXITCODE -eq 0) {
    Write-Host "Test message sent successfully"
} else {
    Write-Host "Failed to send test message"
    exit 1
}

Continuous Monitoring

Certificate Renewal Checks

Set up periodic checks for certificate renewal:

# Add to crontab (runs daily at 2 AM)
0 2 * * * /path/to/cert-expiry-check.sh >> /var/log/cert-expiry.log 2>&1

# Create a scheduled task (runs daily at 2 AM)
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-File C:\scripts\cert-expiry-check.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At 2am
Register-ScheduledTask -TaskName "CertExpiryCheck" -Action $action -Trigger $trigger

TLS Endpoint Monitoring

Use tools like:

Nagios/Icinga: Check certificate expiration and validity
Prometheus: blackbox_exporter for TLS monitoring
Datadog/New Relic: Synthetic monitoring for TLS endpoints

Example Prometheus blackbox_exporter config:

modules:
  tls_connect:
    prober: tcp
    timeout: 5s
    tcp:
      tls: true
      tls_config:
        insecure_skip_verify: false

Common Verification Scenarios

Verify Certificate Chain is Complete

# Test from a client's perspective
openssl s_client -connect collector.example.com:10514 -showcerts

# Look for the full chain in output
# Should see: Server cert → Intermediate(s) → (optionally) Root

# Test from a client's perspective
openssl s_client -connect collector.example.com:10514 -showcerts

# Look for the full chain in output
# Should see: Server cert -> Intermediate(s) -> (optionally) Root

Verify Certificate Matches Domain

# Check Subject Alternative Names (SANs)
openssl x509 -in server.crt -noout -ext subjectAltName

# Or check Common Name (CN)
openssl x509 -in server.crt -noout -subject

Verify Private Key is Unencrypted

# Check key file headers
head -n 10 server.key

# Should see:
# -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----
# Should NOT see:
# -----BEGIN ENCRYPTED PRIVATE KEY----- or "Proc-Type: 4,ENCRYPTED"

# Check key file headers
Get-Content C:\certs\server.key -First 10

# Should see:
# -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----
# Should NOT see:
# -----BEGIN ENCRYPTED PRIVATE KEY----- or "Proc-Type: 4,ENCRYPTED"

Verify File Permissions

# Check permissions
ls -la /path/to/server.key
ls -la /path/to/server.crt

# Private key should be 600 (rw-------)
# Certificate can be 644 (rw-r--r--)

# Fix if needed
chmod 600 /path/to/server.key
chmod 644 /path/to/server.crt

# Check permissions
icacls C:\certs\server.key
icacls C:\certs\server.crt

# Fix if needed - restrict private key to current user only
icacls C:\certs\server.key /inheritance:r /grant:r "$($env:USERNAME):(R)"

PreviousCertificate Conversion NextBring Your Own Collector

Last updated 1 day ago

Was this helpful?

Good afternoon

hashtagTesting TLS Connections with OpenSSL

hashtagBasic Connectivity Test

hashtagView Certificate Chain

hashtagTest Specific TLS Version

hashtagTest Cipher Suites

hashtagOpenSSL s_client Options Reference

hashtagVerifying Certificate and Key Match

hashtagMethod 1: Compare Public Keys (Recommended)

hashtagMethod 2: Compare Modulus Hashes

hashtagCertificate Inspection

hashtagView Certificate Details

hashtagCheck Expiration Date

hashtagView Subject and Issuer

hashtagView Subject Alternative Names (SANs)

hashtagCheck Certificate Chain Order

hashtagTesting Mutual TLS (mTLS)

hashtagTest with Client Certificate

hashtagVerify Unauthorized Clients Are Rejected

hashtagDebug Client Certificate Issues

hashtagVerify Client Certificate Against CA

hashtagPlatform-Specific Commands

hashtagCheck Certificate Format

hashtagView First Few Lines

hashtagCalculate File Hashes

hashtagTest OpenSSL Installation

hashtagAutomated Testing

hashtagHealth Check Script

hashtagCertificate Expiration Monitoring

hashtagIntegration Testing

hashtagContinuous Monitoring

hashtagCertificate Renewal Checks

hashtagTLS Endpoint Monitoring

hashtagCommon Verification Scenarios

hashtagVerify Certificate Chain is Complete

hashtagVerify Certificate Matches Domain

hashtagVerify Private Key is Unencrypted

hashtagVerify File Permissions

Testing TLS Connections with OpenSSL

Basic Connectivity Test

View Certificate Chain

Test Specific TLS Version

Test Cipher Suites

OpenSSL s_client Options Reference

Verifying Certificate and Key Match

Method 1: Compare Public Keys (Recommended)

Method 2: Compare Modulus Hashes

Certificate Inspection

View Certificate Details

Check Expiration Date

View Subject and Issuer

View Subject Alternative Names (SANs)

Check Certificate Chain Order

Testing Mutual TLS (mTLS)

Test with Client Certificate

Verify Unauthorized Clients Are Rejected

Debug Client Certificate Issues

Verify Client Certificate Against CA

Platform-Specific Commands

Check Certificate Format

View First Few Lines

Calculate File Hashes

Test OpenSSL Installation

Automated Testing

Health Check Script

Certificate Expiration Monitoring

Integration Testing

Continuous Monitoring

Certificate Renewal Checks

TLS Endpoint Monitoring

Common Verification Scenarios

Verify Certificate Chain is Complete

Verify Certificate Matches Domain

Verify Private Key is Unencrypted

Verify File Permissions