FreeKB - View SSL certificate using OpenSSL on Linux
View SSL certificate using OpenSSL on Linux

Home > Search


When a server is configured to use SSL/TLS so that packets exchanged between the client and server are encrypted, the client will need to obtain the certificate from the server. For example, the following diagram illustrates how a client would obtain the certificate from an HTTPS web server.

 

OpenSSL can be used to identify the certificate that the server presents to the client.

openssl s_client -connect www.example.com:443

 

If a certificate is being presented, basic information about the certificate should be displayed. Notice this displays the certificate chain (root certificate, intermediate certificate, server certificate). Being able to view the certificate chain can come in quite handy.

Certificate chain
 0 s:/C=US/ST=California/L=Hollywood/O=example/CN=www.example.com
   i:/C=US/O=example/CN=Example Internet Authority G3
 1 s:/C=US/O=example/CN=Example Internet Authority G3
   i:/OU=Example Root CA
---
Server Certificate
-----BEGIN CERTIFICATE-----
. . .
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Hollywood/O=example/CN=www.example.com
issuer=/C=US/O=example/CN=Example Internet Authority G3

 


Target URL

You only need to use the hostname of the web server, such as www.example.com or www.google.com or www.freekb.net. In other words, there is no need to use a sub directory, such as www.example.com/foo/bar, since the certificate would be provided by just www.example.com.

openssl s_client -connect www.example.com:443

 


Close the connection

By default, the connection to the target server will remain open. You can echo Q (that stands for quit) so that the connection is closed after you get what you need.

echo "Q" | openssl s_client -connect www.example.com:443

 


Ignore "depth"

By default, the first few lines of output with be "depth" and "verify return". While this information can be helpful when debugging, if you are not debugging, this information can be kind of annoying.

depth=1 C = US, ST = California, L = Hollywood, O = example, CN = www.example.com
verify return:1
depth=0 C = US, O = example, CN = Example Internet Authority G3
verify return:1

 

You can use 2>/dev/null to not print the "depth" and "verify return" lines.

echo "Q" | openssl s_client -connect www.example.com:443 2>/dev/null

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 92be3 in the box below so that we can be sure you are a human.




Comments