OpenSSL "s_client -connect" - Show Server Certificate Chain

Q

How to show all certificates in the server certificate chain using the OpenSSL "s_client -connect" command? I know the server uses multiple intermediate CA certificates.

✍: FYIcenter.com

A

You can get all certificates in the server certificate chain if use "s_client -connect" with the "-showcerts" option as shown below:

C:\Users\fyicenter>\local\openssl\openssl.exe s_client \
 -connect www.twitter.com:443 -showcerts > twitter_chain.pem

C:\Users\fyicenter>type twitter_chain.pem

CONNECTED(00000160)
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4...
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at ...
-----BEGIN CERTIFICATE-----
MIIGfDCCBWSgAwIBAgIQHiLHN6ORXj+rZcS1pByuRjANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
...
-----END CERTIFICATE-----
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at ...
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSig...
-----BEGIN CERTIFICATE-----
MIIF5DCCBMygAwIBAgIQW3dZxheE4V7HJ8AylSkoazANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
...
-----END CERTIFICATE-----
---
Server certificate
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2....
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use a...
---
No client certificate CA names sent
---
SSL handshake has read 3329 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 91750A293C83127D339C31FF8A5089E4B379BD357E45C5FC489EA1421...
    Session-ID-ctx:
    Master-Key: 4419CFF3988C6417198A9CCB0F3B85959407C288F792F25D53A6677CC...
    Key-Arg   : None
    Start Time: 1342620119
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

What you are getting from the output:

"-showcerts" option gives us all actually certificates in the "Certificate chain" section.
The entire "openssl s_client ..." command was executed on the Windows command line prompt directly.
The "> twitter_chain.pem" Windows output redirection was used to save the output to the "twitter_chain.pem" file.
File name "twitter_chain.pem" was used because the output contains intermediate CA certificates that used as the signing chain for the www.twitter.com server certificate.

⇒ OpenSSL "x509" Command

⇐ Save OpenSSL Command Output to File

⇑ OpenSSL "s_client" Command

⇑⇑ OpenSSL Tutorials

2012-07-24, 12880👍, 0💬

OpenSSL "x509 -fingerprint" - Print Certificate Fingerprint
How to print out MD5 and SHA-1 fingerprints of a certificate using OpenSSL "x509" command? I need to see them and validate them with the owner of the certificate. Assuming you have a certificate file located at: C:\Users\fyicenter\twitter.crt ,you can print out certificate fingerprints using the "x5... 2012-07-23, 17587👍, 0💬

OpenSSL "s_client -connect" - Connect to HTTPS Web Site
How to connect to a HTTPS Web site using OpenSSL? I see the Web sites using the "https:\" format. If you see a Web sites using the "https:\" format, for example https://twitter.com/login/, you can try to connect the Web site using the "x509 -connect" command as shown below: C:\Users\fyicenter&gt... 2012-07-24, 14879👍, 0💬

OpenSSL "s_client" Command Options
What can I use OpenSSL "s_client" command for? What are options supported by the "s_client" command? OpenSSL "s_client" command implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It's intended for testing purposes only and provides o... 2012-07-23, 14661👍, 0💬

OpenSSL "s_client -connect" - Show Server Certificate Chain
How to show all certificates in the server certificate chain using the OpenSSL "s_client -connect" command? I know the server uses multiple intermediate CA certificates. You can get all certificates in the server certificate chain if use "s_client -connect" with the "-showcerts" option as shown belo... 2012-07-24, 12881👍, 0💬

OpenSSL "verify -untrusted" - Specify Untrusted Certificate
How to specify those intermediate CA certificates that form the signing chain for the server certificate for OpenSSl "verify" command? I have the certificate chain from the server saved in a file. If you have the server certificate chain saved in a file, you can provide it to the OpenSSL "verify" co... 2012-07-24, 11261👍, 0💬

OpenSSL "verify" - Verify or Validate Certificate
How to verify or validate a certificate using OpenSSL "verify" command? I got a certificate from the Web site server and want to see if it is valid. If you have a certificate stored in a file, you can try to validate it or verify it with the OpenSSL "verify" command as shown below: C:\Users\fyicente... 2012-07-24, 8557👍, 0💬

Download Root CA Certificate
How to download the certificate from a root CA? I need to the root CA certificate to close the certification validation chain. If you know the CN (Common Name) of the root CA, for example "DigiCert High Assurance EV Root CA", you can search and download it our certificate database at certificate.fyi... 2012-07-24, 8541👍, 0💬

OpenSSL "s_client -connect" - View Server Certificate
How to view the server certificate using the OpenSSL "s_client -connect" command? You can get the server certificate, if use "s_client -connect" without the "-quiet" option as shown below: C:\Users\fyicenter>\loc al\openssl\openssl.exeOpenSSL> s_client -connect www.twitter.com:443 CONN... 2012-07-24, 8480👍, 0💬

OpenSSL "verify" Command Options
What can I use OpenSSL "verify" command for? What are options supported by the "verify" command? OpenSSL "verify" command is a utility to verify certificates. Here are options supported by the "verify" command: C:\Users\fyicenter>\loc al\openssl\openssl.exeOpenSSL> verify -h usage: ver... 2012-07-24, 6210👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.