Pragmatism in the real world

View an SSL certificate from the command line

I recently had some trouble with verifying an SSL in PHP on a client’s server that I couldn’t reproduce anywhere else. It eventually turned out that the client’s IT department was presenting a different SSL certificate to the one served by the website.

To help me diagnose this, I used this command line script to display the SSL certificate:

getcert.sh

#!/bin/bash
echo | openssl s_client -showcerts -servername !$ -connect $1:443 2>/dev/null \
    | openssl x509 -inform pem -noout -text

Running it against mozilla.org, the start looks like this:

 $ getcert mozilla.org
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:0e:60:b3:c7:bd:9d:36:d5:eb:6a:c3:fb:c1:bd:e6
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV CA-1
        Validity
            Not Before: Nov 24 00:00:00 2015 GMT
            Not After : Dec 29 12:00:00 2016 GMT
        Subject: businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041, C=US, ST=California, L=Mountain View, O=Mozilla Foundation, CN=www.mozilla.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:b8:71:c1:e0:d1:87:20:8d:bc:56:6e:16:ad:21:
…

In my case, I noticed that when I ran this script on the client’s server, the serial number and issuer were different, and that’s when I worked out that PHP was telling me the truth and that it didn’t trust the certificate!