OpenSSL provides a very simple way to check/get the SSL / TLS certificate chain that a site/ webserver offers to the clients attempting to connect to it. This check is an effective technique to determine the SSL / TLS issues and at times, certain setups in my experience seems to be needing the chain installed in their local servers to work correctly.
So, next time your clients ask for your chain, pass this command along for them to see what they should be getting from your websites.
openssl s_client -showcerts -connect <server name>:port
For example, if we need to check on Google’s chain for whatever reason, we can do the following on a terminal:
openssl s_client -showcerts -connect www.google.com:443
Here is the output that comes back:
CONNECTED(00000005)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
—
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
—–BEGIN CERTIFICATE—–
MIIEdjCCA16gAwIBAgIIIgEacCi4OqkwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTgwMjI4MjI0MTI4WhcNMTgwNTIzMjIwOTAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIBKyZ
x1obKgkoo6yfr3cufloqndgonu3CDLJDDPkD4GChNvbTrmQZSD1BkzClS6PvJRoU
zxR16nIX2F/oAOsHtQOmBd+UlbDaii+O/1bc9oz8XtOU9l/2G3owBFZIxnVdgTea
XhI7NGu6iZr65w1x0ssSOyels0d67NjUjYOMp/vboCaEmPEQls0d3oTspfMTh2bB
PDto5lE3k45lU0cgqHBwBbk0rzmutQ5lezx/3696exUPZkc8YIhDXcMqmyMMBxoj
zDmvzAhbt6ZEhUH+1dJHRuMaw3Gf3F9zBWwWNOKZG9P93dRBDnzQnQ+Y+i1VL9D0
2tffakwYwZ9HfJYxAgMBAAGjggFBMIIBPTATBgNVHSUEDDAKBggrBgEFBQcDATAZ
BgNVHREEEjAQgg53d3cuZ29vZ2xlLmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYB
BQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUH
MAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29jc3AwHQYDVR0OBBYEFORf
W86xX5oesXf0Xx986h5M9veoMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0G
Fhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeB
DAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
RzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBNqFCOEfHnMHKxrdnRD0EjA9magFr/
VaF+kpRuqkE/0iMW8G8kycvuLQPhVLLSrc0lqYBzaVYscRKOnSJip9x6pvmr+0Dz
zxfw9DNrmdtMWyy0AhB4vOJiB43L0teBZQ70qoW5BDAH/rZ5svNujzc31ESZISJV
VkDd37IiNAbPXSKo1xzLUWjcI9eaNf6SO+rn3UxV6SJXXwAvWLRrkld/TS52cR2m
tE1f+Ol9rIJdbGlv4JIsxudj6o9K1Tv28IfFGfxSDUx30PS4/FtPhSXTHF4EH93C
b+PS0X3XUshdsU0EjbSxAeAU/PMOw4U/tgNXIJ/Q3+DModkeslQBtLXM
—–END CERTIFICATE—–
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
—–BEGIN CERTIFICATE—–
MIIEKDCCAxCgAwIBAgIQAQAhJYiw+lmnd+8Fe2Yn3zANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
R2VvVHJ1c3QgR2xvYmFsIENBMB4XDTE3MDUyMjExMzIzN1oXDTE4MTIzMTIzNTk1
OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCcKgR3XNhQkToGo4Lg2FBIvIk/8RlwGohGfuCPxfGJziHu
Wv5hDbcyRImgdAtTT1WkzoJile7rWV/G4QWAEsRelD+8W0g49FP3JOb7kekVxM/0
Uw30SvyfVN59vqBrb4fA0FAfKDADQNoIc1Fsf/86PKc3Bo69SxEE630k3ub5/DFx
+5TVYPMuSq9C0svqxGoassxT3RVLix/IGWEfzZ2oPmMrhDVpZYTIGcVGIvhTlb7j
gEoQxirsupcgEcc5mRAEoPBhepUljE5SdeK27QjKFPzOImqzTs9GA5eXA37Asd57
r0Uzz7o+cbfe9CUlwg01iZ2d+w4ReYkeN8WvjnJpAgMBAAGjggERMIIBDTAfBgNV
HSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1
dvWBtrtiGrpagS8wDgYDVR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggr
BgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAw
NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9i
YWwuY3JsMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQDKSeWs
12Rkd1u+cfrP9B4jx5ppY1Rf60zWGSgjZGaOHMeHgGRfBIsmr5jfCnC8vBk97nsz
qX+99AXUcLsFJnnqmseYuQcZZTTMPOk/xQH6bwx+23pwXEz+LQDwyr4tjrSogPsB
E4jLnD/lu3fKOmc2887VJwJyQ6C9bgLxRwVxPgFZ6RGeGvOED4Cmong1L7bHon8X
fOGLVq7uZ4hRJzBgpWJSwzfVO+qFKgE4h6LPcK2kesnE58rF2rwjMvL+GMJ74N87
L9TQEOaWTPtEtyFkDbkAlDASJodYmDkFOA/MgkgMCkdm7r+0X8T/cKjhf4t5K7hl
MqO5tzHpCvX2HzLc
—–END CERTIFICATE—–
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
—–BEGIN CERTIFICATE—–
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
—–END CERTIFICATE—–
—
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
—
No client certificate CA names sent
—
SSL handshake has read 3822 bytes and written 444 bytes
—
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 450428D16546BC18D7598A42C3C07E1CB8BCC4CA17AC538D457F29C7D079DE3D
Session-ID-ctx:
Master-Key: CE4B9F189AFFF2B92782681943AD60255DBF4BD8B47A07100EC8B54B2964747042265C654BBE3F143BE9B7D38D9EEB71
TLS session ticket lifetime hint: 100799 (seconds)
TLS session ticket:
0000 – 00 31 ad dd 58 bc be 25-54 c6 9b 38 b4 4b 6e 25 .1..X..%T..8.Kn%
0010 – 34 7e 8a bd 43 37 7a 09-ac 91 97 44 71 48 b7 47 4~..C7z….DqH.G
0020 – 43 da 83 68 95 f5 5f 15-89 09 b3 c8 ed 4e 36 03 C..h.._……N6.
0030 – 02 5d d9 1b bb 47 db 81-49 96 ec 54 d3 5e 67 71 .]…G..I..T.^gq
0040 – 26 92 03 14 cc 73 c4 54-17 bd b0 da 72 fa 63 e1 &….s.T….r.c.
0050 – d5 f8 b6 99 f8 08 01 32-10 72 a6 41 64 d6 5d 21 …….2.r.Ad.]!
0060 – 58 85 a1 6c 70 9c 7c 1f-c6 b5 3b 86 20 6c b1 84 X..lp.|…;. l..
0070 – a4 bd 1f 69 9f 42 b7 bf-df 5f 4a d9 7d 94 e3 79 …i.B…_J.}..y
0080 – c3 a0 4e 4e 5f 1f 45 91-e2 bb 06 1f 3a 2e c1 6e ..NN_.E…..:..n
0090 – 97 bb 3a 88 f6 7c 69 c0-93 0d 06 65 65 de c4 c2 ..:..|i….ee…
00a0 – 21 0a 58 9c 6f bd 79 a5-6a 8b 6f 2f 9b 3e 9b 03 !.X.o.y.j.o/.>..
00b0 – 04 c9 ef 39 c2 62 1e 99-eb 94 e7 d7 da 1b b2 62 …9.b………b
00c0 – 48 88 09 7c d0 be 85 38-a7 de ef 18 9e 67 c1 17 H..|…8…..g..
00d0 – 66 9a 08 3f 02 f..?.
Start Time: 1521130184
Timeout : 300 (sec)
Verify return code: 0 (ok)