📅 最后修改于: 2023-12-03 15:18:07.848000 🧑 作者: Mango
OpenSSL is a powerful command-line tool for working with SSL/TLS certificates. One of its most useful features is the ability to list the entire certificate chain for a given domain. This is incredibly valuable when troubleshooting SSL/TLS connection issues.
To list the certificate chain for a domain using OpenSSL, simply run the following command in your shell:
openssl s_client -showcerts -connect example.com:443
This command will initiate an SSL/TLS handshake with the server at example.com on port 443. The -showcerts option instructs OpenSSL to display a list of all certificates in the chain, including the root CA certificate.
The output will look something like this:
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIFbTCCBFWgAwIBAgISBInBmOuMttn3qOIl1TbT9F+6MA0GCSqGSIb3DQEBCwUA
. . .
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgIQAf2jggFvPDpI+fRfOHJnYzANBgkqhkiG9w0BAQsFADA/
. . .
-----END CERTIFICATE-----
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQRK+wgNajJ7qJMDmGLvhXKDANBgkqhkiG9w0BAQsFADBu
. . .
-----END CERTIFICATE-----
Each certificate in the chain is listed in order, with the server certificate (in this case, for example.com) at the top, followed by any intermediary certificates, and finally the root CA certificate at the bottom.
This information can be invaluable when troubleshooting SSL/TLS connection issues, such as certificate verification failures or certificate chain errors.
In conclusion, using OpenSSL's s_client command to list a domain's certificate chain is a powerful tool for any programmer working with SSL/TLS connections. Knowing how to use this feature can save time and prevent frustrating connection issues.