How to check the connection to remote server with a digital certificate (client authentication)

You can use curl or wget.

curl --cert <your cert>

or

wget --certificate=<yourt cert>

THe certificate (of course with priv key) needs to be located in a p12 file. You can specify the passphrase of this file.

You can use openssl s_client to inspect the certificate for validity.

openssl s_client -connect www.google.com -CApath /usr/share/ca-certificates

This gives me:

[mark@pericles ~]$ openssl s_client -connect www.google.de:443 -CApath /usr/share/ca-certificates/
CONNECTED(00000004)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
<snip>
    Verify return code: 0 (ok)
---

The -CApath parameter point to the CA certificates to validate against. I'm on Arch Linux, hence these are in /usr/share/ca-certificates.

This is extremely handy when debugging certificates you rolled out, but equally useful, when you don't have control over the other side.

To use a client certificate add the following to the s_client command line:

-cert xxx.pem -key xxx.pem

Here xxx.pem contains both the client certificate and the key. You simply pass it to both options.