OpenSSL "s_client -connect" - Show Server Certificate Chain

Q

How to show all certificates in the server certificate chain using the OpenSSL "s_client -connect" command? I know the server uses multiple intermediate CA certificates.

✍: FYIcenter.com

A

You can get all certificates in the server certificate chain if use "s_client -connect" with the "-showcerts" option as shown below:

C:\Users\fyicenter>\local\openssl\openssl.exe s_client \
 -connect www.twitter.com:443 -showcerts > twitter_chain.pem

C:\Users\fyicenter>type twitter_chain.pem

CONNECTED(00000160)
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4...
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at ...
-----BEGIN CERTIFICATE-----
MIIGfDCCBWSgAwIBAgIQHiLHN6ORXj+rZcS1pByuRjANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
...
-----END CERTIFICATE-----
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at ...
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSig...
-----BEGIN CERTIFICATE-----
MIIF5DCCBMygAwIBAgIQW3dZxheE4V7HJ8AylSkoazANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
...
-----END CERTIFICATE-----
---
Server certificate
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2....
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use a...
---
No client certificate CA names sent
---
SSL handshake has read 3329 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 91750A293C83127D339C31FF8A5089E4B379BD357E45C5FC489EA1421...
    Session-ID-ctx:
    Master-Key: 4419CFF3988C6417198A9CCB0F3B85959407C288F792F25D53A6677CC...
    Key-Arg   : None
    Start Time: 1342620119
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

What you are getting from the output:

  • "-showcerts" option gives us all actually certificates in the "Certificate chain" section.
  • The entire "openssl s_client ..." command was executed on the Windows command line prompt directly.
  • The "> twitter_chain.pem" Windows output redirection was used to save the output to the "twitter_chain.pem" file.
  • File name "twitter_chain.pem" was used because the output contains intermediate CA certificates that used as the signing chain for the www.twitter.com server certificate.

 

OpenSSL "x509" Command

Save OpenSSL Command Output to File

OpenSSL "s_client" Command

⇑⇑ OpenSSL Tutorials

2012-07-24, 16🔥, 0💬