Bootstrap FreeKB - OpenSSL - View SSL certificate using s_client and showcerts
OpenSSL - View SSL certificate using s_client and showcerts
Updated:   |  OpenSSL articles

When a server is configured to use SSL/TLS so that packets exchanged between the client and server are encrypted, the client will need to obtain the certificate from the server. For example, the following diagram illustrates how a client would obtain the certificate from an HTTPS web server.

 

OpenSSL can be used to identify the certificate that the server presents to the client.

openssl s_client -connect www.example.com:443

 

You only need to use the hostname and port of the target URL, such as www.example.com. In other words, there is no need to use a sub directory, such as www.example.com/foo/bar, since the certificate would be provided by just www.example.com.

openssl s_client -connect www.example.com:443

 

If a certificate is being presented, basic information about the certificate should be displayed. Notice this displays the certificate chain (root certificate, intermediate certificate, server certificate). Being able to view the certificate chain can come in quite handy.

Certificate chain
 0 s:/C=US/ST=California/L=Hollywood/O=example/CN=www.example.com
   i:/C=US/O=example/CN=Example Internet Authority G3
 1 s:/C=US/O=example/CN=Example Internet Authority G3
   i:/OU=Example Root CA
---
Server Certificate
-----BEGIN CERTIFICATE-----
. . .
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Hollywood/O=example/CN=www.example.com
issuer=/C=US/O=example/CN=Example Internet Authority G3

 

You may also need to include the -showcerts flag.

~]$ openssl s_client -showcerts -connect www.example.com:443
-----BEGIN CERTIFICATE-----
MIIDTDCCAjQCCQD7guN49Lc+BzANBgkqhkiG9w0BAQ0FADBoMQswCQYDVQQGE...
-----END CERTIFICATE-----

 

By default, the connection to the target server will remain open. You can use echo to close the connection.

echo | openssl s_client -connect www.example.com:443

 

By default, the first few lines of output with be "depth" and "verify return". While this information can be helpful when debugging, if you are not debugging, this information can be kind of annoying.

depth=1 C = US, ST = California, L = Hollywood, O = example, CN = www.example.com
verify return:1
depth=0 C = US, O = example, CN = Example Internet Authority G3
verify return:1

 

You can use 2>/dev/null to not print the "depth" and "verify return" lines.

echo | openssl s_client -connect www.example.com:443 2>/dev/null

 

This one liner can be used to return the BEGIN CERTIFICATE to END CERTIFICATE output.

echo | openssl s_client -connect www.example.com:443 -showcerts 2>/dev/null | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p'

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 59b849 in the box below so that we can be sure you are a human.