phv5og
Last Updated: February 25, 2016
·
4.641K
· purcell

Check the validity of a server's SSL certificate chain

Even if you can connect to a web server over https and get a little green lock icon, that doesn't mean the server's certificates are valid for every client.

In fact, if the server hasn't been configured to provide the full Certificate Authority certificate chain, the resulting connection will be considered insecure by some clients, such as Ruby programs.

Luckily, we can use openssl's s_client command to quickly check a server's certificate:

openssl s_client -connect your.secure.server.com:443

Look at the first few lines of the output, and you'll see whether the certificate has a valid chain, as below:

Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.server.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,  Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

2 Responses
Add your response

14158

Ahem... Trust chain evaluation is defined by SSL stack on client side, where OpenSSL is probably used less often than on server side. Also, your Ruby (or whatever else) application may have different set of root certificates, and hence chain of trust might be evaluated/computed differently. Also, there are CRLs and other stuff. Hence, it shows chain of trust for very this OpenSSL installation/configuration/set-of-root-certificates instance.

over 1 year ago ·
14163

@silpol Well, yes, that can be an issue. But if the remote server isn't providing enough information for the client to logically connect the server's certificate to the client's root certificate, that's still a problem that can generally be reduced by configuring the server differently.

over 1 year ago ·