Securing communication over the internet is crucial in today's digital age, and one fundamental aspect of this security is the use of SSL/TLS certificates. One common task is obtaining the certificate chain from a server, which includes the server's certificate along with any intermediate certificates in the chain. This information can be vital for troubleshooting, verifying the authenticity of a server, or ensuring that your own server's certificate is correctly configured. This tutorial shows how to get certificate chain from server using OpenSSL.
To retrieve the certificate chain from a server, we can use the openssl s_client command. The following command connects to the Google server on port 443 and displays the certificate chain:
echo | openssl s_client -showcerts -connect www.google.com:443Let's break down the components of this command:
echo- is used to provide an empty input to close the input stream. It ensures that theopenssl s_clientcommand doesn't wait for user input during the SSL/TLS handshake process.-showcerts- instructs to display the full server certificate chain.-connect- specifies the server and port to connect to. Note: 443 is the standard port for HTTPS.
An example of part of the output:
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
0 s:CN = www.google.com
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 20 08:09:47 2023 GMT; NotAfter: Feb 12 08:09:46 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEhjCCA26gAwIBAgIQMSLF87fiqdsJ4To3xUynTTANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
...
Leave a Comment
Cancel reply