Verifying Certificate with openssl
We can verify certificate with many tools, like web browser is best client software to view the certificate. But if you are working with integration system where there is no client software are not possible to view the certificate. In that case openssl is best tool.
Basic command to show certificate –
openssl s_client -showcerts -connect google.com:443
Out put of command has lot of information where -showcerts dump the output in PEM encoded formate. Lets try to divide the output in different parts to understand the output.
1CONNECTED(00000005)
2depth=2 OU = GlobalSign Root CA – R2, O = GlobalSign, CN = GlobalSign
3verify return:1
4depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
5verify return:1
6depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
7verify return:1
8
9—
10Certificate chain
11 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
12 i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
13—–BEGIN CERTIFICATE—–
14MIIKDjCCCPagAwIBAgIQdDfRXFmrl7wDAAAAAGZTjTANBgkqhkiG9w0BAQsFADBC
15mRL7N9zIq9jAUl5bHQqn1kd7Q9qs54fvJSG0d6r/p1V/3A==
16—–END CERTIFICATE—–
17 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
18 i:/OU=GlobalSign Root CA – R2/O=GlobalSign/CN=GlobalSign
19—–BEGIN CERTIFICATE—–
20MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAw
21IRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZ
22USpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg==
23—–END CERTIFICATE—–
- This server has 2 certificate: ‘0’ – is server certificate , ‘1’- is intermediate certificate. ’s’- is subject of certificate , ‘i’- is information of certificate issue CA.
- In this only two certificates are in chain, but there may be more certificate in chain for other sites.
- In chain of certificate, information of Server certificate repeat in immediate chain of certificate. In this case, Information (i) of certificate ‘0’ repeat as Subject (s) of certificate ‘1’.
–— Server certificate subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1 —
- It has Server certificate and its information.
No client certificate CA names sent Server Temp Key: ECDH, X25519, 253 bits
- This server is not sending client certificate.
SSL handshake has read 4347 bytes and written 281 bytes. New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit
- The connection to this server was made from TLSv1/SSLv3 with chipper ECDHE-RSA-CHACHA20-POLY1305. Apparently this server allows TLSv1.2
1Secure Renegotiation IS supported
2Compression: NONE
3Expansion: NONE
4No ALPN negotiated
5SSL-Session:
6Protocol : TLSv1.2
7Cipher : ECDHE-RSA-CHACHA20-POLY1305