Quick Tip: openssl s_client For Certificate Verification
Tue, May 8, 2018This is a handy little command that I use often enough to validate the certificate on a host. There’s two cases.
First, checking the default certificate:
openssl s_client -connect google.ca:443 -showcerts </dev/null | openssl x509 -noout -text
Second, if you’re looking for a particular SNI name:
openssl s_client -connect google.ca:443 -servername gmail.com -showcerts </dev/null | openssl x509 -noout -text
Turns out the default Google.ca certificate has a huge number of names in it:
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = google.com
verify return:1
DONE
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 516889038554645177 (0x72c5bd78b57c2b9)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Trust Services, CN=Google Internet Authority G3
Validity
Not Before: Apr 24 10:46:55 2018 GMT
Not After : Jul 17 09:27:00 2018 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a7:ba:82:b9:e1:a2:16:a8:72:55:64:c2:5b:05:
b1:1a:d2:b2:20:55:de:38:4d:4f:ce:fb:c3:13:20:
1e:10:86:df:ba:7b:70:84:bd:92:5d:a5:37:c7:e7:
3c:d2:0f:ff:2e:93:69:e5:e4:a5:b8:a1:c2:98:fb:
e6:6e:28:2a:37:49:da:2e:c7:93:ac:3b:28:03:bd:
40:23:29:12:9f:5d:91:e3:41:f6:13:69:82:ce:93:
24:08:c6:b6:28:d8:63:5f:11:a4:9e:2f:a5:21:79:
b7:bd:43:ba:77:2f:a4:74:dc:fe:37:f3:09:bc:b8:
39:df:2a:ea:52:dc:90:82:c3:5b:ef:e1:c0:57:87:
1b:5f:28:0a:5b:a7:66:b7:e2:ab:8c:a6:72:fc:59:
fb:db:cb:68:ae:8c:59:92:65:32:80:0c:e6:e0:8e:
9d:7d:f7:14:d4:ee:73:11:ee:45:39:7a:cc:50:f8:
80:73:30:5a:b8:a3:53:80:07:de:cd:0d:a0:2d:6f:
a7:eb:74:1d:28:3f:66:19:19:48:75:fa:43:86:be:
e8:59:9e:40:e7:a3:b8:14:8b:21:ac:50:2f:ce:31:
73:fd:ce:3a:13:79:1e:ae:f2:a0:b4:31:e4:09:62:
58:ea:a2:3e:6d:42:2f:df:b7:67:18:84:66:8f:08:
2a:ef
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:google.com, DNS:*.2mdn.net, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.au.doubleclick.net, DNS:*.cc-dt.com, DNS:*.cloud.google.com, DNS:*.db833953.google.cn, DNS:*.de.doubleclick.net, DNS:*.doubleclick.com, DNS:*.doubleclick.net, DNS:*.fls.doubleclick.net, DNS:*.fr.doubleclick.net, DNS:*.g.co, DNS:*.gcp.gvt2.com, DNS:*.google-analytics.com, DNS:*.google.ac, DNS:*.google.ad, DNS:*.google.ae, DNS:*.google.af, DNS:*.google.ag, DNS:*.google.ai, DNS:*.google.al, DNS:*.google.am, DNS:*.google.as, DNS:*.google.at, DNS:*.google.az, DNS:*.google.ba, DNS:*.google.be, DNS:*.google.bf, DNS:*.google.bg, DNS:*.google.bi, DNS:*.google.bj, DNS:*.google.bs, DNS:*.google.bt, DNS:*.google.by, DNS:*.google.ca, DNS:*.google.cat, DNS:*.google.cc, DNS:*.google.cd, DNS:*.google.cf, DNS:*.google.cg, DNS:*.google.ch, DNS:*.google.ci, DNS:*.google.cl, DNS:*.google.cm, DNS:*.google.cn, DNS:*.google.co.ao, DNS:*.google.co.bw, DNS:*.google.co.ck, DNS:*.google.co.cr, DNS:*.google.co.hu, DNS:*.google.co.id, DNS:*.google.co.il, DNS:*.google.co.im, DNS:*.google.co.in, DNS:*.google.co.je, DNS:*.google.co.jp, DNS:*.google.co.ke, DNS:*.google.co.kr, DNS:*.google.co.ls, DNS:*.google.co.ma, DNS:*.google.co.mz, DNS:*.google.co.nz, DNS:*.google.co.th, DNS:*.google.co.tz, DNS:*.google.co.ug, DNS:*.google.co.uk, DNS:*.google.co.uz, DNS:*.google.co.ve, DNS:*.google.co.vi, DNS:*.google.co.za, DNS:*.google.co.zm, DNS:*.google.co.zw, DNS:*.google.com, DNS:*.google.com.af, DNS:*.google.com.ag, DNS:*.google.com.ai, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.bd, DNS:*.google.com.bh, DNS:*.google.com.bn, DNS:*.google.com.bo, DNS:*.google.com.br, DNS:*.google.com.by, DNS:*.google.com.bz, DNS:*.google.com.cn, DNS:*.google.com.co, DNS:*.google.com.cu, DNS:*.google.com.cy, DNS:*.google.com.do, DNS:*.google.com.ec, DNS:*.google.com.eg, DNS:*.google.com.et, DNS:*.google.com.fj, DNS:*.google.com.ge, DNS:*.google.com.gh, DNS:*.google.com.gi, DNS:*.google.com.gr, DNS:*.google.com.gt, DNS:*.google.com.hk, DNS:*.google.com.iq, DNS:*.google.com.jm, DNS:*.google.com.jo, DNS:*.google.com.kh, DNS:*.google.com.kw, DNS:*.google.com.lb, DNS:*.google.com.ly, DNS:*.google.com.mm, DNS:*.google.com.mt, DNS:*.google.com.mx, DNS:*.google.com.my, DNS:*.google.com.na, DNS:*.google.com.nf, DNS:*.google.com.ng, DNS:*.google.com.ni, DNS:*.google.com.np, DNS:*.google.com.nr, DNS:*.google.com.om, DNS:*.google.com.pa, DNS:*.google.com.pe, DNS:*.google.com.pg, DNS:*.google.com.ph, DNS:*.google.com.pk, DNS:*.google.com.pl, DNS:*.google.com.pr, DNS:*.google.com.py, DNS:*.google.com.qa, DNS:*.google.com.ru, DNS:*.google.com.sa, DNS:*.google.com.sb, DNS:*.google.com.sg, DNS:*.google.com.sl, DNS:*.google.com.sv, DNS:*.google.com.tj, DNS:*.google.com.tn, DNS:*.google.com.tr, DNS:*.google.com.tw, DNS:*.google.com.ua, DNS:*.google.com.uy, DNS:*.google.com.vc, DNS:*.google.com.ve, DNS:*.google.com.vn, DNS:*.google.cv, DNS:*.google.cz, DNS:*.google.de, DNS:*.google.dj, DNS:*.google.dk, DNS:*.google.dm, DNS:*.google.dz, DNS:*.google.ee, DNS:*.google.es, DNS:*.google.eus, DNS:*.google.fi, DNS:*.google.fm, DNS:*.google.fr, DNS:*.google.frl, DNS:*.google.ga, DNS:*.google.gal, DNS:*.google.ge, DNS:*.google.gg, DNS:*.google.gl, DNS:*.google.gm, DNS:*.google.gp, DNS:*.google.gr, DNS:*.google.gy, DNS:*.google.hk, DNS:*.google.hn, DNS:*.google.hr, DNS:*.google.ht, DNS:*.google.hu, DNS:*.google.ie, DNS:*.google.im, DNS:*.google.in, DNS:*.google.info, DNS:*.google.iq, DNS:*.google.ir, DNS:*.google.is, DNS:*.google.it, DNS:*.google.it.ao, DNS:*.google.je, DNS:*.google.jo, DNS:*.google.jobs, DNS:*.google.jp, DNS:*.google.kg, DNS:*.google.ki, DNS:*.google.kz, DNS:*.google.la, DNS:*.google.li, DNS:*.google.lk, DNS:*.google.lt, DNS:*.google.lu, DNS:*.google.lv, DNS:*.google.md, DNS:*.google.me, DNS:*.google.mg, DNS:*.google.mk, DNS:*.google.ml, DNS:*.google.mn, DNS:*.google.ms, DNS:*.google.mu, DNS:*.google.mv, DNS:*.google.mw, DNS:*.google.ne, DNS:*.google.ne.jp, DNS:*.google.net, DNS:*.google.ng, DNS:*.google.nl, DNS:*.google.no, DNS:*.google.nr, DNS:*.google.nu, DNS:*.google.off.
Authority Information Access:
CA Issuers - URI:http://pki.goog/gsr2/GTSGIAG3.crt
OCSP - URI:http://ocsp.pki.goog/GTSGIAG3
X509v3 Subject Key Identifier:
28:BB:B8:44:5A:BF:07:CF:D9:CD:D1:56:37:94:E3:3B:DC:3F:BB:2C
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.3
Policy: 2.23.140.1.2.2
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.pki.goog/GTSGIAG3.crl
Signature Algorithm: sha256WithRSAEncryption
5d:84:f7:84:8b:30:ed:75:91:72:a1:f1:1e:0a:fb:ce:12:0d:
e9:8a:95:92:2d:fc:6a:9b:7b:3e:19:fa:a2:e1:ab:fd:5f:39:
17:c7:68:0d:3f:2e:9c:c7:b9:cb:b7:2e:2a:df:0e:93:ee:75:
7f:39:85:4e:3d:b4:7b:01:38:b2:20:4d:9f:90:d0:19:3c:fd:
dc:7e:f8:05:ad:ea:bf:73:97:a3:a6:01:c0:42:5d:1f:7e:eb:
0b:7c:82:5e:f0:99:cc:8d:ee:dc:85:b4:f8:9a:c1:74:91:05:
57:ac:ab:34:64:b3:5d:7d:e2:66:89:db:3d:d0:ba:6a:ec:f2:
7e:dc:f1:a1:05:49:b6:64:6f:eb:82:29:77:8d:92:11:33:c1:
69:51:f9:c5:5c:af:5a:42:37:83:eb:d0:44:85:2a:d0:1a:07:
cd:5c:89:7c:5f:07:05:ba:e8:37:4e:98:a8:7d:52:60:ca:9e:
8f:bf:fd:75:29:97:b2:ac:a4:f8:f2:11:25:41:4e:8c:f4:e3:
46:bc:59:54:1f:f0:10:24:9b:3e:b2:61:94:6b:7c:61:6e:17:
d0:74:e8:0c:ac:38:20:b6:c1:b5:a7:e2:60:d9:80:5a:0c:14:
07:8d:0f:4a:fe:bb:21:5d:95:38:d3:64:fa:a9:db:8f:19:50:
7e:fc:4b:08
And the Gmail one has significantly fewer:
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = gmail.com
verify return:1
DONE
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4284854849037125911 (0x3b76dcc876f7c917)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Trust Services, CN=Google Internet Authority G3
Validity
Not Before: Apr 24 10:18:04 2018 GMT
Not After : Jul 17 09:26:00 2018 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d2:ac:df:ef:43:56:3f:e1:b4:b4:d9:f1:92:a5:
a4:10:cc:82:85:2f:18:12:b1:70:50:c9:c7:7a:e1:
36:d2:e7:45:0d:d6:78:45:41:28:be:1f:04:27:2c:
d4:c5:83:e5:e0:77:7a:45:68:a0:80:5e:c0:52:1e:
b2:dd:56:31:6d:4e:02:2a:bb:38:e4:4a:1d:24:2d:
85:93:3f:83:c1:25:6e:9e:01:a7:ed:42:38:24:0e:
e3:d6:87:ff:b5:42:00:3a:ac:a1:cd:99:ed:5b:99:
80:c9:f4:d2:77:24:fd:b3:77:e0:6f:0f:b6:47:c8:
b4:ff:78:fc:6a:27:90:4c:77:79:d2:b3:c7:3d:2e:
60:85:ec:49:cc:76:61:e6:f0:f2:13:c6:74:65:70:
32:a0:16:90:86:63:76:2d:9e:25:34:cd:8e:20:17:
c8:66:a6:22:16:27:cf:06:3f:a8:c9:c6:ec:c3:7a:
7e:3f:eb:dc:ab:c3:72:d2:18:72:2f:95:f0:c9:e9:
e7:46:39:e4:19:68:f9:92:26:7e:76:ea:47:ba:a8:
84:51:43:d5:2d:9e:ff:99:2f:70:c0:55:43:02:2e:
17:40:c3:b6:65:20:3d:fd:7a:e3:2e:dc:f2:d4:67:
6f:ef:ad:5d:36:69:94:47:a9:c6:45:a8:7a:54:af:
b6:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:gmail.com, DNS:*.gmail.com
Authority Information Access:
CA Issuers - URI:http://pki.goog/gsr2/GTSGIAG3.crt
OCSP - URI:http://ocsp.pki.goog/GTSGIAG3
X509v3 Subject Key Identifier:
E0:DC:7D:D6:1D:36:4A:4A:33:6C:8A:EA:58:6F:77:9F:96:9D:BF:E9
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.3
Policy: 2.23.140.1.2.2
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.pki.goog/GTSGIAG3.crl
Signature Algorithm: sha256WithRSAEncryption
54:ba:29:13:9b:6a:01:97:bd:4b:01:c2:18:0d:30:a4:b1:c0:
a8:d2:51:5b:d2:be:28:f5:02:d9:3e:3d:d5:70:e7:06:a1:9b:
24:08:1e:b2:61:22:c2:45:ed:4f:fd:7a:bd:15:12:5b:d1:50:
f3:fd:bf:01:7d:62:2b:86:33:90:63:e5:2f:c5:fb:b7:f3:cc:
d8:5f:4c:fc:a7:b5:da:8d:b3:98:b0:45:e4:f2:39:79:32:d4:
de:48:63:7a:90:35:4a:db:01:f7:20:9b:98:b1:13:9a:a0:45:
97:f8:3e:f7:61:8b:c6:f9:d4:70:a1:ac:61:3a:2b:14:00:fd:
32:30:e2:e1:40:be:9e:5a:2f:95:4e:9a:af:46:b5:f9:69:7b:
1d:95:d3:6e:4d:78:e3:1e:f6:a8:f3:ee:1d:27:fb:ee:09:81:
eb:b5:8e:6f:93:03:ee:1d:6b:ca:0b:62:c7:a5:dd:1e:b7:0a:
f2:ab:23:fd:27:bc:69:79:59:49:36:47:9b:31:2e:2b:24:b0:
61:56:59:35:af:d1:99:6b:1a:95:2d:b4:16:e1:13:73:57:0d:
8d:22:8f:60:3f:08:92:c9:d2:fe:4f:a7:49:94:d4:a1:a3:76:
1c:71:4f:42:1e:da:7c:35:50:02:fc:a3:7b:62:85:36:7c:39:
92:ae:e6:5b