On 22/12/2014 11:52, Jerry OELoo wrote:
Hi All:
I have used openssl command line to get some website's certificate
chain. Now, I want to show root certificate information. but I do not
find any command argument to do it.
openssl s_client -showcerts -CApath /etc/ssl/certs -connect
studentexclusives.hsbc.co.uk:443
I use -CApath to set root certificate path.
From below, I can get full certificate path. 3 certificates
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU
= "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign
Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU
= Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign
Class 3 Secure Server CA - G3
verify return:1
depth=0 C = GB, ST = London, L = London, O = HSBC Holdings plc, OU =
HTSE, CN = studentexclusives.hsbc.co.uk
verify return:1
But in certificate chain, I only get 2 certificates information (I
think this two are return by website.)
---
Certificate chain
0 s:/C=GB/ST=London/L=London/O=HSBC Holdings
plc/OU=HTSE/CN=studentexclusives.hsbc.co.uk
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
Server CA - G3
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Now I want to also display root certificate "VeriSign Class 3 Public
Primary Certification Authority - G5" information, How can I show it?
Thanks!
This means the web server did not send it, but expects your
client/browser to find it (by name) in your local root certificates
store, such as /etc/ssl/certs.
Look in that directory for "/C=US/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=(c) 2006 VeriSign, Inc. - For authorized use
only/CN=VeriSign Class 3 Public Primary Certification Authority - G5"
and dump that filedirectly with
openssl x509 -text -in /etc/ssl/certs/somefile.pem
Unfortunately no currently released version of s_client knows how to
dump out the constructed verification chain, there is only an option
to dump the server supplied certificates (regardless if those were
used by the client or not). Hopefully some future version will have
options to dump either or both lists.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
openssl-users mailing list
openssl-users@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
