Check SSL certificate from Remote Server with Openssl s_client

Table of Contents

An SSL/TLS certificate is a file installed on a website’s origin server. It’s simply a data file containing the public key and the identity of the website owner, along with other information. Without a server certificate, a website’s traffic can’t be encrypted with TLS.

SSL/TLS certificates are the most popular type of X.509 certificate. SSL/TLS certificates are issued to hostnames (machine names like ‘ABC-SERVER-02’ or domain names like google.com).

In this post, we will get the SSL/TLS server certificate from the server or website with OpenSSL command.

Get SSL server certificate from Remote Server

We can get an interactive SSL connection to our server, using the openssl s_client command:

This keeps the interactive session open until we type Q (quit) and press , or until EOF is encountered.

We can use the -showcerts option to get the complete certificate chain:

openssl s_client -showcerts -connect google.com:443

Certificate chain
0 s:/CN=*.google.com
i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
—–BEGIN CERTIFICATE—–
MIIOHDCCDQSgAwIBAgIRAK9pj+vPzS2JCgAAAAD26sQwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
—–END CERTIFICATE—–
1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
—–BEGIN CERTIFICATE—–
MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
—–END CERTIFICATE—–

We can also use the following command to save all the certificates to a file.

openssl s_client -showcerts -connect google.com:443 certifs.pem

Download SSL server certificate from Server with SNI

If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) we will need to send the correct servername in the OpenSSL command in order to get the right certificate.

For example, howtouselinux.com shares multiple SSL hosts with other domains. So in order to get the certificate for our website, we need to use the following command.

openssl s_client -showcerts -servername www.howtouselinux.com -connect www.howtouselinux.com:443 certifs.pem

Related:

Table of Contents

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

You might also like