[openssl-users] How to display root certificate in command line

Jakob Bohm jb-openssl at wisemo.com
Mon Dec 22 14:03:28 UTC 2014


On 22/12/2014 11:52, Jerry OELoo wrote:
> Hi All:
> I have used openssl command line to get some website's certificate
> chain. Now, I want to show root certificate information. but I do not
> find any command argument to do it.
>
> openssl s_client -showcerts -CApath /etc/ssl/certs -connect
> studentexclusives.hsbc.co.uk:443
>
> I use -CApath to set root certificate path.
>
>  From below, I can get full certificate path. 3 certificates
>
> CONNECTED(00000003)
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU
> = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign
> Class 3 Public Primary Certification Authority - G5
> verify return:1
> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU
> = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign
> Class 3 Secure Server CA - G3
> verify return:1
> depth=0 C = GB, ST = London, L = London, O = HSBC Holdings plc, OU =
> HTSE, CN = studentexclusives.hsbc.co.uk
> verify return:1
>
>
> But in certificate chain, I only get 2 certificates information (I
> think this two are return by website.)
>
> ---
> Certificate chain
>   0 s:/C=GB/ST=London/L=London/O=HSBC Holdings
> plc/OU=HTSE/CN=studentexclusives.hsbc.co.uk
>     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
> Server CA - G3
> -----BEGIN CERTIFICATE-----
> ...
> -----END CERTIFICATE-----
>   1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
> Server CA - G3
>     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
> Primary Certification Authority - G5
> -----BEGIN CERTIFICATE-----
> ...
> -----END CERTIFICATE-----
> ---
>
> Now I want to also display root certificate "VeriSign Class 3 Public
> Primary Certification Authority - G5" information, How can I show it?
>
> Thanks!
>
This means the web server did not send it, but expects your
client/browser to find it (by name) in your local root certificates
store, such as /etc/ssl/certs.

Look in that directory for "/C=US/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=(c) 2006 VeriSign, Inc. - For authorized use
only/CN=VeriSign Class 3 Public Primary Certification Authority - G5"
and dump that filedirectly with

   openssl x509 -text -in /etc/ssl/certs/somefile.pem

Unfortunately no currently released version of s_client knows how to
dump out the constructed verification chain, there is only an option
to dump the server supplied certificates (regardless if those were
used by the client or not).  Hopefully some future version will have
options to dump either or both lists.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list