$ Linux One Liners
Back to lessons

Web Server Rescue

Show TLS Certificate Names

You need to inspect the certificate subject and SAN names served for a hostname.

Command

openssl s_client -connect edge.test:443 -servername edge.test /dev/null | openssl x509 -noout -subject -ext subjectAltName

What changed

Nothing changes. The command performs a read-only TLS handshake and prints certificate identity fields.

Danger

safe

When to use it

Use when browsers report a hostname mismatch or a CDN serves the wrong certificate.

When not to use it

Do not rely on the CN alone; modern clients validate SAN names.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Certificate subject plus subjectAltName entries.

demo script

Disposable terminal steps

  1. openssl s_client -connect edge.test:443 -servername edge.test /dev/null | openssl x509 -noout -subject
  2. openssl s_client -connect edge.test:443 -servername edge.test /dev/null | openssl x509 -noout -subject -ext subjectAltName
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ openssl s_client -connect edge.test:443 -servername edge.test /dev/null | openssl x509 -noout -subject
subject=CN = edge.test
X509v3 Subject Alternative Name:
    DNS:edge.test, DNS:www.edge.test
::exit-code::0
$ openssl s_client -connect edge.test:443 -servername edge.test /dev/null | openssl x509 -noout -subject -ext subjectAltName
subject=CN = edge.test
X509v3 Subject Alternative Name:
    DNS:edge.test, DNS:www.edge.test
::exit-code::0

YouTube Short

Check cert names.

A certificate can be unexpired and still wrong. Check the SAN list for the hostname users typed.

LinkedIn hook

The cert was valid, but not for this hostname.

Question: When TLS fails, do you check expiry or SAN coverage first?

experiments

A/B tests to run

Metric: completion_rate

A: Valid cert, wrong hostname.

B: Check SAN names first.