• openssl x509: Used for managing X.509 certificates, including creating, viewing, and verifying certificates.
  • openssl req: Used for generating certificate signing requests (CSRs) and self-signed certificates.
  • openssl s_client: Used for testing SSL/TLS connections and verifying the security of a remote server.
  • openssl s_server: Used for setting up a simple SSL/TLS server for testing and debugging purposes.
  • openssl enc: Used for encrypting and decrypting data using various symmetric-key ciphers.


Check if the certificate is trusted

openssl
  1. Download the latest CA bundle file
curl -o cacert.pem https:///ca/cacert.pem
  1. openssl s_client to verify
openssl s_client -connect :443 -CAfile /etc/ssl/certs/ca_bundle.pem | openssl x509 -noout -dates
keytool

Since cacert.pem contains multiple certificates (like the Mozilla bundle), you’ll need to split and import each certificate individually.

  1. Create a new KeyStore file
keytool -genkeypair -alias temp -keystore Trusted_CA.jks -keyalg RSA -keysize 2048 -validity 1

If you want an empty keystore (without generating a key pair), Java’s keytool doesn’t provide a direct option. But a workaround is:

  1. Delete the temporary key entry
keytool -delete -alias temp -keystore Trusted_CA.jks
  1. Each Trusted CA need to be import into a JKS (Java KeyStore)
keytool -importcert -file GlobalSign.pem -alias GlobalSign -keystore Trusted_CA.jks -trustcacerts

It will ask for a password (default Java KeyStore password is usually changeit).

  1. Point Java to the Updated KeyStore

After importing the CA certificates, make sure your Java application knows where to find the KeyStore. You can do this via system properties:

java -Djavax.net.ssl.trustStore=/path/to/cacerts.jks \
     -Djavax.net.ssl.trustStorePassword=your_password \
     YourJavaApp
  1. Verify the Setup

You can test the connection with a Java HTTPS client or use keytool to list certificates:

keytool -list -v -keystore Trusted_CA.jks


Other commands

Download a server's SSL/TLS certificate using openssl s_client

openssl s_client -connect :443 -servername  -showcerts < /dev/null 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' > certificate.pem
Explanation
  1. openssl s_client -connect example.com:443Connects to the server example.com on port 443 (HTTPS).
  2. -showcertsDisplays the full certificate chain (server certificate + intermediate certificates).
  3. </dev/nullCloses the input stream immediately (avoids waiting for user input).
  4. 2>/dev/nullSuppresses error messages (optional, for cleaner output).
  5. sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p'Extracts only the certificate blocks (PEM format) from the output.
  6. > certificate.pemSaves the certificates to a file named certificate.pem.