gnutls_certificate_verify_peers3 - Linux
Overview
gnutls_certificate_verify_peers3 is a command-line tool provided by GnuTLS that verifies the peer’s certificate chain. It is commonly employed to validate the identity of a remote server in secure communication scenarios.
Syntax
gnutls_certificate_verify_peers3 [-v] [-h] [-p PORT] [-c CIPHER_PRIORITIES] [-a CA_FILE] [-t CRL_FILE] CA_FILE_OR_DIR [HOSTNAME]
Options/Flags
- -v: Verbose mode, displays detailed information during verification.
- -h: Print usage information and exit.
- -p PORT: Specify the port to listen on, default is 4433.
- -c CIPHER_PRIORITIES: Set the cipher priorities to use, separated by colons (:).
- -a CA_FILE: Specify a single CA certificate file or a directory containing CA certificates.
- -t CRL_FILE: Specify a Certificate Revocation List (CRL) file to use for checking certificate revocation.
Examples
Verify a server’s certificate:
gnutls_certificate_verify_peers3 example.com
Verify a server’s certificate using a specific cipher priority:
gnutls_certificate_verify_peers3 -c NORMAL example.com
Verify a server’s certificate using a CA certificate and a CRL:
gnutls_certificate_verify_peers3 -a my_ca.crt -t my_crl.crl example.com
Common Issues
- Certificate validation failed: Ensure that the provided CA certificates are valid and up-to-date. Check for any expired or revoked certificates.
- Connection refused: Verify that the server is listening on the specified port and that there are no firewalls or network issues blocking the connection.
- Unsupported certificate type: Ensure that the server’s certificate is supported by GnuTLS. Some uncommon or outdated certificate types may not be recognized.
Integration
gnutls_certificate_verify_peers3 can be used in scripts or command chains for automated certificate verification tasks.
Example script to verify multiple certificates:
#!/bin/bash
HOSTS=("example.com" "example2.com" "example3.com")
for HOST in "${HOSTS[@]}"; do
gnutls_certificate_verify_peers3 "$HOST"
done
Related Commands
- gnutls-cli: TLS/SSL client for testing and debugging.
- openssl verify: OpenSSL command for verifying X.509 certificates.