HOW TO: Get the Certificate Chain for a website

OpenSSL provides a very simple way to check/get the SSL / TLS certificate chain that a site/ webserver offers to the clients attempting to connect to it. This check is an effective technique to determine the SSL / TLS issues and at times, certain setups in my experience seems to be needing the chain installed in their local servers to work correctly.

So, next time your clients ask for your chain, pass this command along for them to see what they should be getting from your websites.

 

openssl s_client -showcerts -connect <server name>:port

 

For example, if we need to check on Google’s chain for whatever reason, we can do the following on a terminal:

 

 openssl s_client -showcerts -connect www.google.com:443

 

Here is the output that comes back:

CONNECTED(00000005)

depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA

verify error:num=20:unable to get local issuer certificate

verify return:0

Certificate chain

0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

i:/C=US/O=Google Inc/CN=Google Internet Authority G2

—–BEGIN CERTIFICATE—–

MIIEdjCCA16gAwIBAgIIIgEacCi4OqkwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE

BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl

cm5ldCBBdXRob3JpdHkgRzIwHhcNMTgwMjI4MjI0MTI4WhcNMTgwNTIzMjIwOTAw

WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN

TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3

Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIBKyZ

x1obKgkoo6yfr3cufloqndgonu3CDLJDDPkD4GChNvbTrmQZSD1BkzClS6PvJRoU

zxR16nIX2F/oAOsHtQOmBd+UlbDaii+O/1bc9oz8XtOU9l/2G3owBFZIxnVdgTea

XhI7NGu6iZr65w1x0ssSOyels0d67NjUjYOMp/vboCaEmPEQls0d3oTspfMTh2bB

PDto5lE3k45lU0cgqHBwBbk0rzmutQ5lezx/3696exUPZkc8YIhDXcMqmyMMBxoj

zDmvzAhbt6ZEhUH+1dJHRuMaw3Gf3F9zBWwWNOKZG9P93dRBDnzQnQ+Y+i1VL9D0

2tffakwYwZ9HfJYxAgMBAAGjggFBMIIBPTATBgNVHSUEDDAKBggrBgEFBQcDATAZ

BgNVHREEEjAQgg53d3cuZ29vZ2xlLmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYB

BQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUH

MAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29jc3AwHQYDVR0OBBYEFORf

W86xX5oesXf0Xx986h5M9veoMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0G

Fhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeB

DAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB

RzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBNqFCOEfHnMHKxrdnRD0EjA9magFr/

VaF+kpRuqkE/0iMW8G8kycvuLQPhVLLSrc0lqYBzaVYscRKOnSJip9x6pvmr+0Dz

zxfw9DNrmdtMWyy0AhB4vOJiB43L0teBZQ70qoW5BDAH/rZ5svNujzc31ESZISJV

VkDd37IiNAbPXSKo1xzLUWjcI9eaNf6SO+rn3UxV6SJXXwAvWLRrkld/TS52cR2m

tE1f+Ol9rIJdbGlv4JIsxudj6o9K1Tv28IfFGfxSDUx30PS4/FtPhSXTHF4EH93C

b+PS0X3XUshdsU0EjbSxAeAU/PMOw4U/tgNXIJ/Q3+DModkeslQBtLXM

—–END CERTIFICATE—–

1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2

i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

—–BEGIN CERTIFICATE—–

MIIEKDCCAxCgAwIBAgIQAQAhJYiw+lmnd+8Fe2Yn3zANBgkqhkiG9w0BAQsFADBC

MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS

R2VvVHJ1c3QgR2xvYmFsIENBMB4XDTE3MDUyMjExMzIzN1oXDTE4MTIzMTIzNTk1

OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT

HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3DQEBAQUA

A4IBDwAwggEKAoIBAQCcKgR3XNhQkToGo4Lg2FBIvIk/8RlwGohGfuCPxfGJziHu

Wv5hDbcyRImgdAtTT1WkzoJile7rWV/G4QWAEsRelD+8W0g49FP3JOb7kekVxM/0

Uw30SvyfVN59vqBrb4fA0FAfKDADQNoIc1Fsf/86PKc3Bo69SxEE630k3ub5/DFx

+5TVYPMuSq9C0svqxGoassxT3RVLix/IGWEfzZ2oPmMrhDVpZYTIGcVGIvhTlb7j

gEoQxirsupcgEcc5mRAEoPBhepUljE5SdeK27QjKFPzOImqzTs9GA5eXA37Asd57

r0Uzz7o+cbfe9CUlwg01iZ2d+w4ReYkeN8WvjnJpAgMBAAGjggERMIIBDTAfBgNV

HSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1

dvWBtrtiGrpagS8wDgYDVR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggr

BgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAw

NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9i

YWwuY3JsMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwHQYDVR0l

BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQDKSeWs

12Rkd1u+cfrP9B4jx5ppY1Rf60zWGSgjZGaOHMeHgGRfBIsmr5jfCnC8vBk97nsz

qX+99AXUcLsFJnnqmseYuQcZZTTMPOk/xQH6bwx+23pwXEz+LQDwyr4tjrSogPsB

E4jLnD/lu3fKOmc2887VJwJyQ6C9bgLxRwVxPgFZ6RGeGvOED4Cmong1L7bHon8X

fOGLVq7uZ4hRJzBgpWJSwzfVO+qFKgE4h6LPcK2kesnE58rF2rwjMvL+GMJ74N87

L9TQEOaWTPtEtyFkDbkAlDASJodYmDkFOA/MgkgMCkdm7r+0X8T/cKjhf4t5K7hl

MqO5tzHpCvX2HzLc

—–END CERTIFICATE—–

2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

—–BEGIN CERTIFICATE—–

MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT

MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0

aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw

WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE

AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB

CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m

OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu

T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c

JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR

Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz

PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm

aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM

TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g

LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO

BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv

dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB

AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL

NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W

b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S

—–END CERTIFICATE—–

Server certificate

subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

No client certificate CA names sent

SSL handshake has read 3822 bytes and written 444 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol  : TLSv1.2

Cipher    : ECDHE-RSA-AES128-GCM-SHA256

Session-ID: 450428D16546BC18D7598A42C3C07E1CB8BCC4CA17AC538D457F29C7D079DE3D

Session-ID-ctx:

Master-Key: CE4B9F189AFFF2B92782681943AD60255DBF4BD8B47A07100EC8B54B2964747042265C654BBE3F143BE9B7D38D9EEB71

TLS session ticket lifetime hint: 100799 (seconds)

TLS session ticket:

0000 – 00 31 ad dd 58 bc be 25-54 c6 9b 38 b4 4b 6e 25   .1..X..%T..8.Kn%

0010 – 34 7e 8a bd 43 37 7a 09-ac 91 97 44 71 48 b7 47   4~..C7z….DqH.G

0020 – 43 da 83 68 95 f5 5f 15-89 09 b3 c8 ed 4e 36 03   C..h.._……N6.

0030 – 02 5d d9 1b bb 47 db 81-49 96 ec 54 d3 5e 67 71   .]…G..I..T.^gq

0040 – 26 92 03 14 cc 73 c4 54-17 bd b0 da 72 fa 63 e1   &….s.T….r.c.

0050 – d5 f8 b6 99 f8 08 01 32-10 72 a6 41 64 d6 5d 21   …….2.r.Ad.]!

0060 – 58 85 a1 6c 70 9c 7c 1f-c6 b5 3b 86 20 6c b1 84   X..lp.|…;. l..

0070 – a4 bd 1f 69 9f 42 b7 bf-df 5f 4a d9 7d 94 e3 79   …i.B…_J.}..y

0080 – c3 a0 4e 4e 5f 1f 45 91-e2 bb 06 1f 3a 2e c1 6e   ..NN_.E…..:..n

0090 – 97 bb 3a 88 f6 7c 69 c0-93 0d 06 65 65 de c4 c2   ..:..|i….ee…

00a0 – 21 0a 58 9c 6f bd 79 a5-6a 8b 6f 2f 9b 3e 9b 03   !.X.o.y.j.o/.>..

00b0 – 04 c9 ef 39 c2 62 1e 99-eb 94 e7 d7 da 1b b2 62   …9.b………b

00c0 – 48 88 09 7c d0 be 85 38-a7 de ef 18 9e 67 c1 17   H..|…8…..g..

00d0 – 66 9a 08 3f 02                                    f..?.

Start Time: 1521130184

Timeout   : 300 (sec)

Verify return code: 0 (ok)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s