Bootstrap FreeKB - OpenSSL - View SSL certificate using s_client and showcerts
OpenSSL - View SSL certificate using s_client and showcerts
Updated:   |  OpenSSL articles

When a server is configured to use SSL/TLS so that packets exchanged between the client and server are encrypted, the client will need to obtain the certificate from the server. For example, the following diagram illustrates how a client would obtain the certificate from an HTTPS web server.

 

OpenSSL can be used to identify the certificate that the server presents to the client.

openssl s_client -connect www.example.com:443

 

If a certificate is being presented, basic information about the certificate should be displayed. Notice this displays the certificate chain (root certificate, intermediate certificate, server certificate). Being able to view the certificate chain can come in quite handy.

Certificate chain
 0 s:/C=US/ST=California/L=Hollywood/O=example/CN=www.example.com
   i:/C=US/O=example/CN=Example Internet Authority G3
 1 s:/C=US/O=example/CN=Example Internet Authority G3
   i:/OU=Example Root CA
---
Server Certificate
-----BEGIN CERTIFICATE-----
. . .
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Hollywood/O=example/CN=www.example.com
issuer=/C=US/O=example/CN=Example Internet Authority G3

 

You may also need to include the -showcerts flag.

~]$ openssl s_client -showcerts -connect www.example.com:443
-----BEGIN CERTIFICATE-----
MIIDTDCCAjQCCQD7guN49Lc+BzANBgkqhkiG9w0BAQ0FADBoMQswCQYDVQQGE...
-----END CERTIFICATE-----

 

Target URL

You only need to use the hostname of the web server, such as www.example.com or www.google.com or www.freekb.net. In other words, there is no need to use a sub directory, such as www.example.com/foo/bar, since the certificate would be provided by just www.example.com.

openssl s_client -connect www.example.com:443

 

Close the connection

By default, the connection to the target server will remain open. You can echo Q (that stands for quit) so that the connection is closed after you get what you need.

echo "Q" | openssl s_client -connect www.example.com:443

 

Ignore "depth"

By default, the first few lines of output with be "depth" and "verify return". While this information can be helpful when debugging, if you are not debugging, this information can be kind of annoying.

depth=1 C = US, ST = California, L = Hollywood, O = example, CN = www.example.com
verify return:1
depth=0 C = US, O = example, CN = Example Internet Authority G3
verify return:1

 

You can use 2>/dev/null to not print the "depth" and "verify return" lines.

echo "Q" | openssl s_client -connect www.example.com:443 2>/dev/null

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter cc7e11 in the box below so that we can be sure you are a human.