====== Debug Server Certificate from Client ====== Credit for this example goes to "[[http://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/| Checking A Remote Certificate Chain With OpenSSL]]" from [[http://langui.sh/|langui.sh]]. openssl s_client -showcerts -connect www.andunix.net:443 Informations about the used arguments from the OpenSSL man page: * ''[[http://www.openssl.org/docs/apps/s_client.html|s_client]]'': SSL/TLS client program * ''[[http://www.openssl.org/docs/apps/s_client.html#item__showcerts|-showcerts]]'': display the whole server certificate chain: normally only the server certificate itself is displayed. * ''[[http://www.openssl.org/docs/apps/s_client.html#item__connect|-connect www.andunix.net:443]]'': This specifies the host and optional port to connect to. If not specified then an attempt is made to connect to the local host on port 443. ===== Example Output ===== $ openssl s_client -showcerts -connect www.andunix.net:443 CONNECTED(00000003) depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.andunix.net i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 -----BEGIN CERTIFICATE----- MIIE+jCCA+KgAwIBAgIRAMcY2QMjFj4GndFjFpXVm+0wDQYJKoZIhvcNAQEFBQAw czELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNV BAMTEFBvc2l0aXZlU1NMIENBIDIwHhcNMTMxMDA4MDAwMDAwWhcNMTQxMDA4MjM1 OTU5WjBTMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNV BAsTC1Bvc2l0aXZlU1NMMRgwFgYDVQQDEw93d3cuYW5kdW5peC5uZXQwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtJusPIYfOy5Y9W/izrGQn3N2hq2NV UBSbLfoz779vWYIg7eBaEC7YUlS9kGUxEnTlOm5J5pBNbeuajJxjKmBH47at3G2j 5Sd2+CHfqAvhbSFMkX0T5OiFiXmqyXLQMxXw6lqYm7ceo4ozr/5SLGishZeOU8Gw O23231khOMPtR3SUlvk0524VmVV94wr4wJWFQ/C33WGv688cAoZsxtJp5MCs0/av 1kpiYUwiBrIaKfD38j4X2xU2HZ3ITi7dxO6PDGekkhGakPTWH0VBrzHcbOBEEy3Z louCqoUs8ji6HX3O9QV56xZwLKnL0CEDZ7vZp8joMP1d5Qza5XMD2koDAgMBAAGj ggGnMIIBozAfBgNVHSMEGDAWgBSZ5EBfaxRePgXZ3dNjVPxiuPcArDAdBgNVHQ4E FgQUkpRXtIfUe+4i2AJaUrbBVhR0kVgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFAGA1UdIARJMEcw OwYLKwYBBAGyMQECAgcwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3dy5wb3NpdGl2 ZXNzbC5jb20vQ1BTMAgGBmeBDAECATA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8v Y3JsLmNvbW9kb2NhLmNvbS9Qb3NpdGl2ZVNTTENBMi5jcmwwbAYIKwYBBQUHAQEE YDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9Qb3NpdGl2 ZVNTTENBMi5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv bTAnBgNVHREEIDAegg93d3cuYW5kdW5peC5uZXSCC2FuZHVuaXgubmV0MA0GCSqG SIb3DQEBBQUAA4IBAQDGbm9yfDQSYgq8reAv//2wV5JvGdeNsrKfb4PLDzWQhaEx YHBMBnrO9BPZkt+GACDASmeFc6QSJMB7dfYwmp6Be6KoJDQ6bPjA1kZNzQyUejEo FeFuU4X+dAKy/bjvQkKzeXdhc3luFQ0IuqRYITIKYP2q/rPhl72qmBl5IQSOT6iC 9aBgdPMZRVwOawy9OADrIrqEYfyoEykTk6gi/Z3bq0G3s4FjlZf5vOJ5TGl3sz/x xJCu3pzT1bWPbn+nS04SwyKAsuKK89YwiwY+XwPB4eII3H7XXllQWvwsyRCM+YVM TJuq31OGofW/TongbIlFUbaEpSts2OfQnjE1kxdA -----END CERTIFICATE----- 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root -----BEGIN CERTIFICATE----- MIIE5TCCA82gAwIBAgIQB28SRoFFnCjVSNaXxA4AGzANBgkqhkiG9w0BAQUFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTEyMDIxNjAwMDAwMFoXDTIwMDUzMDEwNDgzOFow czELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNV BAMTEFBvc2l0aXZlU1NMIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDo6jnjIqaqucQA0OeqZztDB71Pkuu8vgGjQK3g70QotdA6voBUF4V6a4Rs NjbloyTi/igBkLzX3Q+5K05IdwVpr95XMLHo+xoD9jxbUx6hAUlocnPWMytDqTcy Ug+uJ1YxMGCtyb1zLDnukNh1sCUhYHsqfwL9goUfdE+SNHNcHQCgsMDqmOK+ARRY FygiinddUCXNmmym5QzlqyjDsiCJ8AckHpXCLsDl6ez2PRIHSD3SwyNWQezT3zVL yOf2hgVSEEOajBd8i6q8eODwRTusgFX+KJPhChFo9FJXb/5IC1tdGmpnc5mCtJ5D YD7HWyoSbhruyzmuwzWdqLxdsC/DAgMBAAGjggF3MIIBczAfBgNVHSMEGDAWgBSt vZh6NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUmeRAX2sUXj4F2d3TY1T8Yrj3 AKwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwEQYDVR0gBAow CDAGBgRVHSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0 LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDCBswYIKwYBBQUHAQEEgaYw gaMwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9BZGRUcnVz dEV4dGVybmFsQ0FSb290LnA3YzA5BggrBgEFBQcwAoYtaHR0cDovL2NydC51c2Vy dHJ1c3QuY29tL0FkZFRydXN0VVROU0dDQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRw Oi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCcNuNOrvGK u2yXjI9LZ9Cf2ISqnyFfNaFbxCtjDei8d12nxDf9Sy2e6B1pocCEzNFti/OBy59L dLBJKjHoN0DrH9mXoxoR1Sanbg+61b4s/bSRZNy+OxlQDXqV8wQTqbtHD4tc0azC e3chUN1bq+70ptjUSlNrTa24yOfmUlhNQ0zCoiNPDsAgOa/fT0JbHtMJ9BgJWSrZ 6EoYvzL7+i1ki4fKWyvouAt+vhcSxwOCKa9Yr4WEXT0K3yNRw82vEL+AaXeRCk/l uuGtm87fM04wO+mPZn+C+mv626PAcwDj1hKvTfIPWhRRH224hoFiB85ccsJP81cq cdnUl4XmGFO3 -----END CERTIFICATE----- --- Server certificate subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.andunix.net issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 --- No client certificate CA names sent --- SSL handshake has read 3229 bytes and written 443 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 9B356D595A9E2F7330136DB12E1CE20CCFAC3490563E358B9A5C833B46552A67 Session-ID-ctx: Master-Key: C9BFCE43302AD337656D867BC6D253BFD034B59E942F7A53012E4CEC5EE3615C34B75571C934E58D96C10DEC47A071B3 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - a0 74 cd da 9f 5c f5 b1-ca ea 52 c0 55 5c a0 6c .t...\....R.U\.l 0010 - 48 02 bc aa bf 50 52 7b-ab 40 9b 02 d1 da 54 44 H....PR{.@....TD 0020 - 3d 5c aa 8d ff 00 41 ce-32 84 ee ca 51 15 c7 38 =\....A.2...Q..8 0030 - 72 b8 84 14 b9 be 9e 08-54 30 30 ff 3a ec b6 fa r.......T00.:... 0040 - 23 45 d5 5b 05 14 45 8c-ab 96 bd d9 ab 84 80 65 #E.[..E........e 0050 - b5 91 cc 25 ca 7a c9 89-64 7e 87 5e 47 e6 42 b8 ...%.z..d~.^G.B. 0060 - f8 33 9f d0 da b7 92 bf-62 ff 3b 40 a7 e4 fe 61 .3......b.;@...a 0070 - 7f 72 7c 82 19 32 d0 95-aa d0 60 1d 40 ac e2 55 .r|..2....`.@..U 0080 - f4 66 a5 01 8b 66 09 ee-9c 10 6f be 7f cd 37 c2 .f...f....o...7. 0090 - 41 c7 fa 7b f9 55 ea e3-4c 8d 33 58 1e 30 90 bc A..{.U..L.3X.0.. 00a0 - 9b 60 8a be 7b 86 e3 13-ee de 77 fb c3 9e 7a 3c .`..{.....w...z< 00b0 - d9 cb 46 94 a3 92 76 8a-b8 b4 de 18 c6 d0 8b 82 ..F...v......... Start Time: 1398672406 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- ^C {{tag>cryptography howto openssl security}}