Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
https://forum.ivorde.com/

How to check HTTPS site certificate chain with OpenSSL
https://forum.ivorde.com/how-to-check-https-site-certificate-chain-with-openssl-t15441.html
Page 1 of 1

Author:  mandrei99 [ Fri Oct 04, 2013 10:39 am ]
Post subject:  How to check HTTPS site certificate chain with OpenSSL

Some free Certificate Authorities on the internet are not root CAs, but are intermediate level. This means that they will sign one's SSL certificate, but they are not recognized by the browser because most of the browsers only recognize root CAs.

How to see certificate chain of a HTTPS website:
Code:
# openssl s_client -connect ivorde.ro:443 -tls1
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/description=mc70f5sU6H9LaX1x/C=NL/CN=webmail.ivorde.ro/emailAddress=postmaster@ivorde.ro
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority


Above chain can be interpreted as:
1 Certificate is issued for cn=webmail.ivorde.ro and is signed by CN=StartCom Class 1 Primary Intermediate Server CA
2 Certificate CN=StartCom Class 1 Primary Intermediate Server CA is signed by CN=StartCom Certification Authority
3 Certificate CN=StartCom Certification Authority is signed by itself CN=StartCom Certification Authority and is the top or last level, the root CA.

Checking your browser's incorporated CAs, you an see "StartCom Ltd." -> StartCom Certification Authority listed as recognized CAs (FFox).

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/