Understanding SSL server certificates with Examples

Updated: Aug 29

Server certificates are known as SSL/TLS certificates. It verifies and validates the identity of the certificate holder or applicant before authenticating it. It also establishes an encrypted communication channel and switches the protocol to HTTPS once installed on the server.




What is SSL server certificate

Server certificates are the most popular type of X.509 certificate. SSL/TLS certificates are issued to hostnames (machine names like ‘ABC-SERVER-02’ or domain names like google.com).


A server certificate is a file installed on a website's origin server. It's simply a data file containing the public key and the identity of the website owner, along with other information. Without a server certificate, a website's traffic can't be encrypted with TLS.


Technically, any website owner can create their own server certificate, and such certificates are called self-signed certificates. However, browsers do not consider self-signed certificates to be as trustworthy as SSL certificates issued by a certificate authority.



How does the SSL server Certificate work?

  • A browser or server attempts to connect to a website (i.e. a web server) secured with SSL. The browser/server requests that the web server identify itself.

  • The web server sends the browser/server a copy of its SSL certificate.

  • The browser/server checks to see whether or not it trusts the SSL certificate. If so, it sends a message to the web server.

  • The web server sends back a digitally signed acknowledgement to start an SSL encrypted session.

  • Encrypted data is shared between the browser/server and the web server.




How to get a SSL server Certificate

  • generate a key pair

  • use this key pair to generate a certificate signing request (CSR) that contains the public key and domain name of our website

  • upload the request to a certificate authority

  • download the certificate and install it on our web server along with the key pair


Example of SSL Server Certificate

We can use openssl s_client command to check whether the certificate is valid, trusted, and complete.


openssl s_client -connect <hostname>:<port>

This opens an SSL connection to the specified hostname and port and prints the server certificate.



openssl s_client -connect <hostname>:<port> -showcerts

Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.


If there is a connection problem reaching the domain, the OpenSSL s_client -connect command waits until a timeout occurs and prints an error, such as connect: Operation timed out.


$ openssl s_client -connect google.com:443 
CONNECTED(00000005)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1


Check who has issued the SSL certificate:

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let's Encrypt/CN=R3

Check whom the SSL certificate is issued to:

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.howtouselinux.com

Check for what dates the SSL certificate is valid:

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug  8 04:49:59 2021 GMT
notAfter=Nov  6 04:49:57 2021 GMT

Show the all above information about the SSL certificate

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let's Encrypt/CN=R3
subject= /CN=howtouselinux.com
notBefore=Aug  8 04:49:59 2021 GMT
notAfter=Nov  6 04:49:57 2021 GMT



36 views
屏幕快照 2021-08-08 下午5.16.32.png