View an SSL certificate from the command line
I recently had some trouble with verifying an SSL in PHP on a client’s server that I couldn’t reproduce anywhere else. It eventually turned out that the client’s IT department was presenting a different SSL certificate to the one served by the website.
To help me diagnose this, I used this command line script to display the SSL certificate:
#!/bin/bash echo | openssl s_client -showcerts -servername !$ -connect $1:443 2>/dev/null \ | openssl x509 -inform pem -noout -text
Running it against mozilla.org, the start looks like this:
$ getcert mozilla.org Certificate: Data: Version: 3 (0x2) Serial Number: 05:0e:60:b3:c7:bd:9d:36:d5:eb:6a:c3:fb:c1:bd:e6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV CA-1 Validity Not Before: Nov 24 00:00:00 2015 GMT Not After : Dec 29 12:00:00 2016 GMT Subject: businessCategory=Private Organization/18.104.22.168.4.1.322.214.171.124.3=US/126.96.36.199.4.1.3188.8.131.52.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041, C=US, ST=California, L=Mountain View, O=Mozilla Foundation, CN=www.mozilla.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:b8:71:c1:e0:d1:87:20:8d:bc:56:6e:16:ad:21: …
In my case, I noticed that when I ran this script on the client’s server, the serial number and issuer were different, and that’s when I worked out that PHP was telling me the truth and that it didn’t trust the certificate!