Is there a way to check if the SSL digital certificate is valid without installing on the web server?
Are there any tools or mechanism(s) which can help validate a CA issued SSL certificate before installing it on the target web server?
Answer
Yes, you can use openssl to create a test server for your certificate with the s_server command. This creates a minimal SSL/TLS server that responds to HTTP requests on port 8080:
openssl s_server -accept 8080 -www -cert yourcert.pem -key yourcert.key -CAfile chain.pem
yourcert.pem is the X.509 certificate, yourcert.key is your private key and chain.pem contains the chain of trust between your certificate and a root certificate. Your CA should have given you yourcert.pem and chain.pem.
Then use openssl's s_client to make a connection:
openssl s_client -connect localhost:8080 -showcerts -CAfile rootca.pem
or on Linux:
openssl s_client -connect localhost:8080 -showcerts -CApath /etc/ssl/certs
Caution: That command doesn't verify that the host name matches the CN (common name) or SAN (subjectAltName) of your certificate. OpenSSL doesn't have a routine for the task yet. It's going to be added in OpenSSL 1.1.