Get Server Certificate Openssl

broken image


From time to time it may be necessary to verify what certificate is being presented by the server that you are connecting to. Sometimes this is a SMTP server or it could be a web server. While there are multiple methods that can be used to validate a certificate presented from a server I am going to be focusing on openssl here.

Get a server's SSL/TLS certificate using 'openssl sclient' Helpful? Please support me on Patreon: With thanks & praise. (server want a client-certificate) to got the server certificate with: openssl sclient -connect 192.168.254.208:40004 /dev/null openssl x509 -outform PEM cert.pem but how to get the client-cert? Ist this possible with openssl sserver? Or can I use a simple python ssl-socket? (i have access to the certificates and keys from the server.).

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. OpenSSL is available for multiple platforms including Linux, MacOS & Windows (via gnuwin32). For this article I will be using the Windows version of OpenSSL which can be downloaded from http://gnuwin32.sourceforge.net/packages/openssl.htm.

The syntax that we use depends on what type of server we are querying. To query a web server you would do the following:

To query a smtp server you would do the following:

How to verify SSL certificates with SNI (Server Name Indication) using OpenSSL. Using SNI with OpenSSL is easy. Just add the -servername flag and you are good to go. Replace in the examples below mail.domain.com with the SNI name. Note: you can also use the SNI name to replace server.yourwebhoster.eu with. To get the SSL/TLS Certificate of an SMPT server pick the domain of one MX record from the answer section of your DNS query and feed it to openssl: $ dig gmail.com mx.;; ANSWER SECTION: gmail.com. 3599 IN MX 20 alt2.gmail-smtp-in.l.google.com. 3599 IN MX 5 gmail-smtp-in.l.google.com. 3599 IN MX 30 alt3.gmail-smtp-in.l.google.com. 3599 IN MX 10 alt1.gmail-smtp-in.l.google.com. 3599 IN MX 40 alt4.gmail-smtp-in.l.google.com.

Where is replaced with the fully qualified domain name (FQDN) of the server we want to check. The output generated contains multiple sections with --- spearators between them. The following example is showing a connection on port 443 against outlook.office365.com. The first section presented is around the connection information:

Download Ssl Cert

The next section contains details about the certificate chain:

The actual public server certificate is next:

Following the server certificate we see the Certificate Subject and Issuer:

If there is a client certificate sent it would be presented next:

We next see details about the particular SSL handshake that occurred:

Next if we query a SMTP server on port 25 with the -starttls smtp parameters we will get back the information from that server. Below is an example of one of the output from this type of query:

Curl download certificate

In both of these examples the typical information that we use in troubleshooting is the certifcate chain.
e.g. 1:

e.g. 2:

Depending on the problem I'm dealing with I'll make a determination on how I want to proceed next. If the system you are connecting from is receiving regular root certificate updates there shouldn't be any issues with the root certificates.

The most common issue that I see around certificates is missing root certificates. These problems are easily resolved by ensuring that you have installed the most recent root certificate update for your system.

If you find that the proper root certificates have been installed on the system the next thing to check is that you can reach the certificate revolcation list (CRL) to verify that the certificate is still valid. This requires internet access and on a Windows system can be checked using certutil.

At the very bottom of the output you should see:

If you don't have access to the internet you will see an error at this point.

March 14th, 2009

If you deal with SSL/TLS long enough you will run into situations where you need to examine what certificates are being presented by a server to the client. The best way to examine the raw output is via (what else but) OpenSSL.1

First let's do a standard webserver connection (-showcerts dumps the PEM encoded certificates themselves for more extensive parsing if you desire. The output below snips them for readability.):

There's a lot of data here so I have truncated several sections to increase readability. Points of interest:

  1. The certificate chain consists of two certificates. At level 0 there is the server certificate with some parsed information. s: is the subject line of the certificate and i: contains information about the issuing CA.

  2. This particular server (www.woot.com) has sent an intermediate certificate as well. Subject and issuer information is provided for each certificate in the presented chain. Chains can be much longer than 2 certificates in length.

  3. The server certificate section is a duplicate of level 0 in the chain. If you're only looking for the end entity certificate then you can rapidly find it by looking for this section.

  4. No client certificate CAs were sent. If the server was configured to potentially accept client certs the returned data would include a list of 'acceptable client CAs'.

  5. Connection was made via TLSv1/SSLv3 and the chosen cipher was RC4-MD5. Incidentally, this typically means that the server you're connecting to is IIS.

But what if you want to connect to something other than a bog standard webserver on port 443? Well, if you need to use starttls that is also available. As of OpenSSL 0.9.8 you can choose from smtp, pop3, imap, and ftp as starttls options.

If you need to check using a specific SSL version (perhaps to verify if that method is available) you can do that as well. -ssl2, -ssl3, -tls1, and -dtls1 are all choices here.2

Openssl Get Certificate From Server

You can also present a client certificate if you are attempting to debug issues with a connection that requires one.3

And for those who really enjoy playing with SSL handshakes, you can even specify acceptable ciphers.4

The cipher used above should work for almost any Apache server, but will fail on IIS since it doesn't support 256-bit AES encryption.

Get Server Certificate Openssl

  1. The s_client command we're using opens an interactive socket and does not automatically return to the shell prompt, so remember you will have to hit control-c or type something and hit return to terminate the process. ↩

  2. This example shows an attempted SSLv2 only connection. SSLv2 should be disabled on any web server you control. It has a variety of flaws and has been superseded by SSLv3/TLSv1 for over a decade. ↩

  3. This example expects the certificate and private key in PEM form. You can provide them in DER if you add -certform DER and -keyform DER (OpenSSL 0.9.8 or newer only) ↩

  4. A list of available ciphers can be found by typing 'openssl ciphers', but there are also myriad ways to sort by type and strength. See the ciphers man page for more details. ↩





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save