gnutls_certificate_verify_peers3 - Linux

Overview

gnutls_certificate_verify_peers3 is a command-line tool provided by GnuTLS that verifies the peer’s certificate chain. It is commonly employed to validate the identity of a remote server in secure communication scenarios.

Syntax

gnutls_certificate_verify_peers3 [-v] [-h] [-p PORT] [-c CIPHER_PRIORITIES] [-a CA_FILE] [-t CRL_FILE] CA_FILE_OR_DIR [HOSTNAME]

Options/Flags

  • -v: Verbose mode, displays detailed information during verification.
  • -h: Print usage information and exit.
  • -p PORT: Specify the port to listen on, default is 4433.
  • -c CIPHER_PRIORITIES: Set the cipher priorities to use, separated by colons (:).
  • -a CA_FILE: Specify a single CA certificate file or a directory containing CA certificates.
  • -t CRL_FILE: Specify a Certificate Revocation List (CRL) file to use for checking certificate revocation.

Examples

Verify a server’s certificate:

gnutls_certificate_verify_peers3 example.com

Verify a server’s certificate using a specific cipher priority:

gnutls_certificate_verify_peers3 -c NORMAL example.com

Verify a server’s certificate using a CA certificate and a CRL:

gnutls_certificate_verify_peers3 -a my_ca.crt -t my_crl.crl example.com

Common Issues

  • Certificate validation failed: Ensure that the provided CA certificates are valid and up-to-date. Check for any expired or revoked certificates.
  • Connection refused: Verify that the server is listening on the specified port and that there are no firewalls or network issues blocking the connection.
  • Unsupported certificate type: Ensure that the server’s certificate is supported by GnuTLS. Some uncommon or outdated certificate types may not be recognized.

Integration

gnutls_certificate_verify_peers3 can be used in scripts or command chains for automated certificate verification tasks.

Example script to verify multiple certificates:

#!/bin/bash

HOSTS=("example.com" "example2.com" "example3.com")

for HOST in "${HOSTS[@]}"; do
  gnutls_certificate_verify_peers3 "$HOST"
done

Related Commands

  • gnutls-cli: TLS/SSL client for testing and debugging.
  • openssl verify: OpenSSL command for verifying X.509 certificates.