Do a SSL certificate domain check

If you want openssl to actually verify the certificate, you need to tell it to do so.

1. Checking whether the hostname on the certificate matches the name you want

There's a specific option for that, -verify_hostname. In the command below, I use it on serverfault.com but I'm checking against the hostname example.com:

[jenny@temeraire crt] $ openssl s_client -verify_hostname example.com  -connect serverfault.com:443
CONNECTED(00000003)
[...]
    Verify return code: 62 (Hostname mismatch)
---
DONE

However, the return code of the process itself is still 0, meaming you have to look at the output instead of using the return code in a test.

2. Checking whether the certificate is from a trusted CA

I've run it against the serverfault.com website, without giving it a list of trusted CA:s to check again so that it would be guaranteed to fail verification:

[jenny@galactica tmp] $ openssl s_client -verify 2 -connect serverfault.com:443
[...]
    Verify return code: 27 (certificate not trusted)

However, openssl will still give you the return code 0, since the command actually executed properly, making it harder to script around.

A better way to do it would be to first download the certificate and then run openssl verify against it:

[jenny@galactica tmp] $ openssl verify selfsignedcert.pem; echo $?
selfsignedcert.pem: C=SE, O="Nevermind", CN=foo.example.com
error 18 at 0 depth lookup: self signed certificate
18

As you see, I got the return code 18 which means "self-signed certificate". There are a number of other error codes; check the man page for verify for more info.