I have been struggling with setting up our env on ssl. We get keystore files from our CA's. It is fairly an automated process. However, we mostly struggle at the client side.
Currently, I run following command to check certs from server
openssl s_client -connect <server>:<port>
Once it prints the certs, I list keystores and verify DN, issuer, subject manully.
keytool -list -v -keystore keystore.jks
I would like to know if there is a command or any other way to feed the keystore.jks to openssl command and verify certs.
You can try following command:-
openssl s_client -verify 100 -showcerts -connect $HOST:$PORT -CAfile <(keytool -list -rfc -keystore truststore.jks -storepass changeit)
-keystore is the path of keystore.
-storepass is the password for the keystore
This will load your keystore as input to -CAfile
Command works as same as openssl s_client -connect $HOST:$PORT -CAfile <path-to-ca.pem>