An SSL/TLS certificate is a file installed on a website’s origin server. It’s simply a data file containing the public key and the identity of the website owner, along with other information. Without a server certificate, a website’s traffic can’t be encrypted with TLS.
SSL/TLS certificates are the most popular type of X.509 certificate. SSL/TLS certificates are issued to hostnames (machine names like ‘ABC-SERVER-02’ or domain names like google.com).
In this post, we will get the SSL/TLS server certificate from the server or website with OpenSSL command.
Table of Contents
Get SSL server certificate from Remote Server
We can get an interactive SSL connection to our server, using the openssl s_client command:
This keeps the interactive session open until we type Q (quit) and press , or until EOF is encountered.
We can use the -showcerts option to get the complete certificate chain:
openssl s_client -showcerts -connect google.com:443
Certificate chain
0 s:/CN=*.google.com
i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
—–BEGIN CERTIFICATE—–
MIIOHDCCDQSgAwIBAgIRAK9pj+vPzS2JCgAAAAD26sQwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
—–END CERTIFICATE—–
1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
—–BEGIN CERTIFICATE—–
MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
—–END CERTIFICATE—–
We can also use the following command to save all the certificates to a file.
openssl s_client -showcerts -connect google.com:443 certifs.pem
Check SSL server certificate from Server with SNI
If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) we will need to send the correct servername in the OpenSSL command in order to get the right certificate.
For example, www.howtouselinux.com shares multiple SSL hosts with other domains. So in order to get the certificate for our website, we need to use the following command.
openssl s_client -showcerts -servername www.howtouselinux.com -connect www.howtouselinux.com:443 certifs.pem
Related:
- Exploring SSL Certificate Chain with Examples
- Understanding X509 Certificate with Openssl Command
- OpenSSL Command to Generate View Check Certificate
- Converting CER CRT DER PEM PFX Certificate with Openssl
- SSL vs TLS and how to check TLS version in Linux
- Understanding SSH Key RSA DSA ECDSA ED25519
- Understanding server certificates with Examples