OpenSSL "s_client -connect" - Show Server Certificate Chain

Q

How to show all certificates in the server certificate chain using the OpenSSL "s_client -connect" command? I know the server uses multiple intermediate CA certificates.

✍: FYIcenter.com

A

You can get all certificates in the server certificate chain if use "s_client -connect" with the "-showcerts" option as shown below:

C:\Users\fyicenter>\local\openssl\openssl.exe s_client \
 -connect www.twitter.com:443 -showcerts > twitter_chain.pem

C:\Users\fyicenter>type twitter_chain.pem

CONNECTED(00000160)
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4...
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at ...
-----BEGIN CERTIFICATE-----
MIIGfDCCBWSgAwIBAgIQHiLHN6ORXj+rZcS1pByuRjANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
...
-----END CERTIFICATE-----
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at ...
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSig...
-----BEGIN CERTIFICATE-----
MIIF5DCCBMygAwIBAgIQW3dZxheE4V7HJ8AylSkoazANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
...
-----END CERTIFICATE-----
---
Server certificate
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2....
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use a...
---
No client certificate CA names sent
---
SSL handshake has read 3329 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 91750A293C83127D339C31FF8A5089E4B379BD357E45C5FC489EA1421...
    Session-ID-ctx:
    Master-Key: 4419CFF3988C6417198A9CCB0F3B85959407C288F792F25D53A6677CC...
    Key-Arg   : None
    Start Time: 1342620119
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

What you are getting from the output:

  • "-showcerts" option gives us all actually certificates in the "Certificate chain" section.
  • The entire "openssl s_client ..." command was executed on the Windows command line prompt directly.
  • The "> twitter_chain.pem" Windows output redirection was used to save the output to the "twitter_chain.pem" file.
  • File name "twitter_chain.pem" was used because the output contains intermediate CA certificates that used as the signing chain for the www.twitter.com server certificate.

 

OpenSSL "s_client" Command

⇒⇒OpenSSL Tutorials

2012-07-24, 8742👍, 0💬