Last Updated: February 25, 2016
·
8.165K
· purcell

Check the validity of a server's SSL certificate chain

#ssl
#openssl
#certificate

Even if you can connect to a web server over https and get a little green lock icon, that doesn't mean the server's certificates are valid for every client.

In fact, if the server hasn't been configured to provide the full Certificate Authority certificate chain, the resulting connection will be considered insecure by some clients, such as Ruby programs.

Luckily, we can use openssl's s_client command to quickly check a server's certificate:

openssl s_client -connect your.secure.server.com:443

Look at the first few lines of the output, and you'll see whether the certificate has a valid chain, as below:

Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.server.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,  Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
#ssl
#openssl
#certificate

Written by Steve Purcell

Say Thanks
Respond

Related protips

Generating a self-signed wildcard certificate

18.93K
0

Converting a certificate chain and key into a Java Keystore for SSL on Puma/Java

3.367K
0

Add self signed SSL certificate to Android (for browsing)

196.1K
8

2 Responses
Add your response

silpol

Ahem... Trust chain evaluation is defined by SSL stack on client side, where OpenSSL is probably used less often than on server side. Also, your Ruby (or whatever else) application may have different set of root certificates, and hence chain of trust might be evaluated/computed differently. Also, there are CRLs and other stuff. Hence, it shows chain of trust for very this OpenSSL installation/configuration/set-of-root-certificates instance.

over 1 year ago ·
purcell

@silpol Well, yes, that can be an issue. But if the remote server isn't providing enough information for the client to logically connect the server's certificate to the client's root certificate, that's still a problem that can generally be reduced by configuring the server differently.

over 1 year ago ·

Have a fresh tip? Share with Coderwall community!

Post
Post a tip
Best #Ssl Authors
sdepablos
195.3K
#ssl
#MySQL
#Symfony2
jan0sch
173.3K
#ssl
#Java
#C
aeas44
60.95K
#ssl
#Python
#Docker
weppos
57.34K
#ssl
#Ruby on Rails
#Ruby
mcansky
37.84K
#ssl
#Ruby
#JavaScript
Related Tags
#ssl
#openssl
#certificate
Sponsored by
#native_company#
#native_desc#
#native_cta#
Awesome Job
See All Jobs
Post a job for only $299
Thanks to our sponsor
Sponsored by #native_company# — Learn More
#native_title# #native_desc#
#native_cta#