Pragmatism in the real world

View an SSL certificate from the command line

I recently had some trouble with verifying an SSL in PHP on a client’s server that I couldn’t reproduce anywhere else. It eventually turned out that the client’s IT department was presenting a different SSL certificate to the one served by the website.

To help me diagnose this, I used this command line script to display the SSL certificate:

echo | openssl s_client -showcerts -servername !$ -connect $1:443 2>/dev/null \
    | openssl x509 -inform pem -noout -text

Running it against, the start looks like this:

 $ getcert
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc,, CN=DigiCert High Assurance EV CA-1
            Not Before: Nov 24 00:00:00 2015 GMT
            Not After : Dec 29 12:00:00 2016 GMT
        Subject: businessCategory=Private Organization/ Castro St Ste 300/postalCode=94041, C=US, ST=California, L=Mountain View, O=Mozilla Foundation,
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):

In my case, I noticed that when I ran this script on the client’s server, the serial number and issuer were different, and that’s when I worked out that PHP was telling me the truth and that it didn’t trust the certificate!