Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sat Nov 18, 2017 4:22 pm


Firewals, computer, server and network security, kernel and applications security of FreeBSD/Linux/AIX systems.

Author Message
mandrei99
Post  Post subject: How to check HTTPS site certificate chain with OpenSSL  |  Posted: Fri Oct 04, 2013 10:39 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

How to check HTTPS site certificate chain with OpenSSL

Some free Certificate Authorities on the internet are not root CAs, but are intermediate level. This means that they will sign one's SSL certificate, but they are not recognized by the browser because most of the browsers only recognize root CAs.

How to see certificate chain of a HTTPS website:
Code:
# openssl s_client -connect ivorde.ro:443 -tls1
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/description=mc70f5sU6H9LaX1x/C=NL/CN=webmail.ivorde.ro/emailAddress=postmaster@ivorde.ro
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority


Above chain can be interpreted as:
1 Certificate is issued for cn=webmail.ivorde.ro and is signed by CN=StartCom Class 1 Primary Intermediate Server CA
2 Certificate CN=StartCom Class 1 Primary Intermediate Server CA is signed by CN=StartCom Certification Authority
3 Certificate CN=StartCom Certification Authority is signed by itself CN=StartCom Certification Authority and is the top or last level, the root CA.

Checking your browser's incorporated CAs, you an see "StartCom Ltd." -> StartCom Certification Authority listed as recognized CAs (FFox).





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "How to check HTTPS site certificate chain with OpenSSL"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. OpenSSL certificate authority (CA) - how to copy x509 extensions from CSR to signed PEM

mandrei99

0

1316

Thu Jan 08, 2015 11:59 am

mandrei99 View the latest post

There are no new unread posts for this topic. OpenSSL signing error: The countryName field needed to be the same in the CA certificate and the req

mandrei99

0

2902

Thu Jan 08, 2015 11:38 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 1 guest
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO