OpenSSL - View SSL certificate using s_client and showcerts

When a server is configured to use SSL/TLS so that packets exchanged between the client and server are encrypted, the client will need to obtain the certificate from the server. For example, the following diagram illustrates how a client would obtain the certificate from an HTTPS web server.


OpenSSL can be used to identify the certificate that the server presents to the client.

openssl s_client -connect


If a certificate is being presented, basic information about the certificate should be displayed. Notice this displays the certificate chain (root certificate, intermediate certificate, server certificate). Being able to view the certificate chain can come in quite handy.

Certificate chain
 0 s:/C=US/ST=California/L=Hollywood/O=example/
   i:/C=US/O=example/CN=Example Internet Authority G3
 1 s:/C=US/O=example/CN=Example Internet Authority G3
   i:/OU=Example Root CA
Server Certificate
. . .
issuer=/C=US/O=example/CN=Example Internet Authority G3


You may also need to include the -showcerts flag.

~]$ openssl s_client -showcerts -connect


Target URL

You only need to use the hostname of the web server, such as or or In other words, there is no need to use a sub directory, such as, since the certificate would be provided by just

openssl s_client -connect


Close the connection

By default, the connection to the target server will remain open. You can echo Q (that stands for quit) so that the connection is closed after you get what you need.

echo "Q" | openssl s_client -connect


Ignore "depth"

By default, the first few lines of output with be "depth" and "verify return". While this information can be helpful when debugging, if you are not debugging, this information can be kind of annoying.

depth=1 C = US, ST = California, L = Hollywood, O = example, CN =
verify return:1
depth=0 C = US, O = example, CN = Example Internet Authority G3
verify return:1


You can use 2>/dev/null to not print the "depth" and "verify return" lines.

echo "Q" | openssl s_client -connect 2>/dev/null


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter fc6f0 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |