Checking a website's security certificate with OpenSSL

You can use OpenSSL, which is commonly installed on Mac OS X and Linux systems and which is also available for other operating systems (the source code can be downloaded from OpenSSL Downloads and a Windows implementation is available at OpenSSL for Windows), to check the security certificate of a website using an openssl command in the form openssl s_client -showcerts -connect fqdn:port where fqdn is the fully qualified domain name (FQDN) of the website and port is the port that the website is listening on for HTTPS connections, which is usually well-known port 443, though it may sometimes be another port, such as the registered port 8443. The showcerts option instructs openssl to show all certificates in the public key certificate chain. E.g.:

Udemy - April2516-25off-sitewide120x600





$ openssl s_client -showcerts -connect www.cisco.com:443
CONNECTED(00000003)
depth=2 /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=CA/L=San Jose/O=Cisco Systems/OU=CCIT-ECM/CN=www.cisco.com
i:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akama
i SureServer CA G14-SHA2
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIUHpQMQ40K9knnxmDGSx/MlFD25nkwDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xJTAjBgNVBAoT
HFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNVBAsTCkN5YmVydHJ1
c3QxLjAsBgNVBAMTJVZlcml6b24gQWthbWFpIFN1cmVTZXJ2ZXIgQ0EgRzE0LVNI
QTIwHhcNMTYwMzE1MjEwMzIxWhcNMTcwMzE1MjEwMzE4WjBwMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCFNhbiBKb3NlMRYwFAYDVQQKEw1DaXNj
byBTeXN0ZW1zMREwDwYDVQQLEwhDQ0lULUVDTTEWMBQGA1UEAxMNd3d3LmNpc2Nv
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL31QU3tIaLo7Vbv
QQkxF4bk6FSeAV0jOTm4AW/EfMJ5K4TuTL6sWYcaNrRWLkU8olw3yuSpR+1jEgWx
abHnhv4XvaEHP18GLe9iWL0BkFbWQdgQb+KKUnqYMjt0vqijUQtmVjbP2QnPDzFM
kmdyveGYlsqbtQ2jSarxRt1Mpd/aNMpwgrL6O+gpKZvOqx699aIj+abNOfQJRWgt
nS+iLMzrUoHbt0UGdF7MA7yJoQiCYvUJU11ttC6pKdk65MThQXx3QxxYx3S5AfT6
UtrC07AheqkJ+4Hz7upP9hRSBxxj+IF2jhyIIc4V9AzA5ACaPtKwuBawzLNwDWVD
m9HsCE8CAwEAAaOCAdswggHXMAwGA1UdEwEB/wQCMAAwTAYDVR0gBEUwQzBBBgkr
BgEEAbE+ATIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly9zZWN1cmUub21uaXJvb3Qu
Y29tL3JlcG9zaXRvcnkwga8GCCsGAQUFBwEBBIGiMIGfMC0GCCsGAQUFBzABhiFo
dHRwOi8vdmFzc2cxNDIub2NzcC5vbW5pcm9vdC5jb20wNgYIKwYBBQUHMAKGKmh0
dHBzOi8vY2FjZXJ0LmEub21uaXJvb3QuY29tL3Zhc3NnMTQyLmNydDA2BggrBgEF
BQcwAoYqaHR0cHM6Ly9jYWNlcnQuYS5vbW5pcm9vdC5jb20vdmFzc2cxNDIuZGVy
MBgGA1UdEQQRMA+CDXd3dy5jaXNjby5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBT4vfqvc3fGxxv5
S00Rp9Ezr69yETA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vdmFzc2cxNDIuY3Js
Lm9tbmlyb290LmNvbS92YXNzZzE0Mi5jcmwwHQYDVR0OBBYEFDQMXuZbOOP/MoeY
EMGSHxHYOaMwMA0GCSqGSIb3DQEBCwUAA4IBAQBkPgeICXVUMVtfkcO9WBf8lidi
EvAaIFLJtIg/u9bzgBJi/+v1FhJ30J27o4OFCO0Ks3zw0a5iS3Yf/jqtmWq11d97
zOn/okotg34IRaHACP6ose6sAepX7VwGxRetXvpOmCKDPGXE8ParFz5kowcyYQ5L
NitOW+cPfcFq1+FQdOiJsN0nzR4twiFv0W3xGB3OdXXRcL4BfzvFZub/eaSvRWhi
Fko98yJYay10PZmFlC30Ch4LEvZSwoFwqKENxtYr/mbKDlTkHtw0AIgVozumOwuh
EYauNJgFUaYfxOMYtR5ISTGcZDnG+tLhA4F/s+NJNYfmO1ZvY3zSK/fzjo9w
-----END CERTIFICATE-----
1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
-----BEGIN CERTIFICATE-----
MIIFHzCCBAegAwIBAgIEByekazANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE0MDQwMjE0MzYxMFoX
DTIxMDQwMjE0MzU1MlowgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJk
YW0xJTAjBgNVBAoTHFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNV
BAsTCkN5YmVydHJ1c3QxLjAsBgNVBAMTJVZlcml6b24gQWthbWFpIFN1cmVTZXJ2
ZXIgQ0EgRzE0LVNIQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDd
bp4CaQK1o5kuCGQyalnzxp6mIAfSSNGok8fqR4+DOUDXIF2Nmrqr2HDsnYjRvWL2
2+ydXjUBdgMj5W/Sr0Y1WVpc0agjwevpINRJ1j8A2Kgi3kN5gazppJL1d3AFHly2
oPeQpM2rKCyQwucPw68cR1nVhC7fJgdFI1rG6JDIhUuMFh5g+QET8RQf5ugU7cXS
b2MobnKMSa4IcseTlbQLDK6PmmeE9Vcb24HXF51BEUMZvW1Khe2PcCWrZqv2+m0c
PKvtF71WhOHbdTOyKEuZjvlLgjNQn5JT7fqtD5Wco/LLYPB3HckBi18thr6/Nrgk
lhN8wYZabMFIKn8+k2DFAgMBAAGjggG3MIIBszASBgNVHRMBAf8ECDAGAQH/AgEC
MEwGA1UdIARFMEMwQQYJKwYBBAGxPgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v
c2VjdXJlLm9tbmlyb290LmNvbS9yZXBvc2l0b3J5MIG6BggrBgEFBQcBAQSBrTCB
qjAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Aub21uaXJvb3QuY29tL2JhbHRpbW9y
ZXJvb3QwOQYIKwYBBQUHMAKGLWh0dHBzOi8vY2FjZXJ0Lm9tbmlyb290LmNvbS9i
YWx0aW1vcmVyb290LmNydDA5BggrBgEFBQcwAoYtaHR0cHM6Ly9jYWNlcnQub21u
aXJvb3QuY29tL2JhbHRpbW9yZXJvb3QuZGVyMA4GA1UdDwEB/wQEAwIBxjAfBgNV
HSMEGDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DBCBgNVHR8EOzA5MDegNaAzhjFo
dHRwOi8vY2RwMS5wdWJsaWMtdHJ1c3QuY29tL0NSTC9PbW5pcm9vdDIwMjUuY3Js
MB0GA1UdDgQWBBT4vfqvc3fGxxv5S00Rp9Ezr69yETANBgkqhkiG9w0BAQsFAAOC
AQEAgNl67XIFN49hqnN8mmr8/gHiGYFwByUysPBvO8dqKD3kUYfmfoLsrkinsXc4
wtZWr4/yAfxlZRAJ93QptQ6S7pCY0YiiZbfNnA6nhpgovK4Vg7Ya1x3sGdp6jkD5
mRXVfaW6q/0mmG6cQTu2gRjscEjXbn+m4Xcl1t1i6FLzjBY5Z+IiDXcu+xFs5N04
tCdfA6g9ROLyhEuE/Vamnk17ohZPB/U0JHKlovoWZiqkSg7IDSdEnHfUEhCH0gAs
eruOiCKRFb6iWco04BxhlIYgM83nTF07kj7L1i3qVPr7r1T1qMULyouHAOaf5pW/
t8SjWfUWbF8+aVWAOfZ1UBQ+Mg==
-----END CERTIFICATE-----
2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Glo
bal Root
-----BEGIN CERTIFICATE-----
MIIEFTCCA36gAwIBAgIEByeO7TANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTEyMDQxODE2MzYxOFoXDTE4MDgxMzE2MzUxN1owWjELMAkG
A1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9yZTETMBEGA1UECxMKQ3liZXJUcnVz
dDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVyVHJ1c3QgUm9vdDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKrmD1X6CZymrV51Cni4eiVgLGw41uO
KymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjrIZ3AQSsBUnuId9Mcj8e6uYi1agnn
c+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeKmpYcqWe4PwzV9/lSEy/CG9VwcPCP
wBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSuXmD+tqYF/LTdB1kC1FkYmGP1pWPg
kAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZydc93Uk3zyZAsuT3lySNTPx8kmCFc
B5kpvcY67Oduhjprl3RjM71oGDHweI12v/yejl0qhqdNkNwnGjkCAwEAAaOCAUcw
ggFDMBIGA1UdEwEB/wQIMAYBAf8CAQMwSgYDVR0gBEMwQTA/BgRVHSAAMDcwNQYI
KwYBBQUHAgEWKWh0dHA6Ly9jeWJlcnRydXN0Lm9tbmlyb290LmNvbS9yZXBvc2l0
b3J5MA4GA1UdDwEB/wQEAwIBBjCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYT
AlVTMRgwFgYDVQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJl
clRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3Qg
R2xvYmFsIFJvb3SCAgGlMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVi
bGljLXRydXN0LmNvbS9jZ2ktYmluL0NSTC8yMDE4L2NkcC5jcmwwDQYJKoZIhvcN
AQEFBQADgYEAkx3+i65G7MupD6vl78qyaBZo2I/6E6mvs8st50tujmkqwisQCo32
rnO2ufsU/V9tuFC2xIrWQH7Xw8tz3MldW6+wQbU36+rcIJHENGr0ofOWnTeGl+Fx
pN19+kSElK7XCQQidg9kUTWpJA/5C9sy2sL+wbkqXHonE8qxSDpx0EM=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=CA/L=San Jose/O=Cisco Systems/OU=CCIT-ECM/CN=www.cisco.com
issuer=/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2
---
No client certificate CA names sent
---
SSL handshake has read 3928 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher    : AES128-SHA
Session-ID: 485F4955BA893003F30C594FF4E5D6EB9FF2858748228141A3EA12E1703D89DB
Session-ID-ctx: 
Master-Key: 7FA045201CC1BBF171A9627216067659E20E126151D1CDDED95DEC7BC01A2A032EE7
0BC887EE8800FCD10343519DD455
Key-Arg   : None
Start Time: 1485534972
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---
closed
$

From the top of the certificate chain, the one at level zero (0), I can see the public key infrastructure (PKI) certificate was issued to Cisco Systems by Verizon Enterprise Solutions.

Certificate chain
0 s:/C=US/ST=CA/L=San Jose/O=Cisco Systems/OU=CCIT-ECM/CN=www.cisco.com
i:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akama i SureServer CA G14-SHA2

The line beginning with s:/ is the subject line for the certificate, which indicates to whom the certifificate was issued and the line beginning with i:/ identifies the issuer of the certificate.

Next on the lines is the SSL certificate country code. The "C=US" indicates that the entity to whom the certificate was issued is in the United States whereas the country code for the issuer is the Netherlands. The "L=" portion of the lines indicates the locality, i.e., city name.

The "O=" indicates the organization name with "OU=" indicating the organization unit. The organization for the issuer is Verizon Enterprise Solutions, a division of Verizon Communications. There is a reference to CyberTrust in the OU of the issuer; CyberTrust was a security services company in the state of Virginia in the U.S. that was acquired by Verizon in 2007. CyberTrust was founded as a subsidiary of GTE Corporation's Government Systems Information Security Directorate, If you go back two more levels in the certificate chain to the first link in the certificate chain at level two (2), the following information appears for that root certificate:

s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

For the other parts of the subject and issuer lines, "CN" is used for "common name". Cisco's web server resides on the Akamai Technologies, Inc. content delivery network (CDN), which accounts for the CN=Verizon Akamai SureServer CA G14-SHA2 reference.

If you want to know when a website's public certificate expires, you can use openssl commands as shown below:

$ echo | openssl s_client -connect cisco.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Jan 28 00:00:00 2016 GMT
notAfter=Jan 28 23:59:59 2018 GMT
$

The output shown above shows the site's certificate became valid on January 28, 2016 and expires on January 28, 2018. If you are uninterested in the start date and just want to see the expiration date, you can use the command below:

$ echo | openssl s_client -connect cisco.com:443 2>/dev/null | openssl x509 -noout -enddate
notAfter=Jan 28 23:59:59 2018 GMT
$

If I just wanted to see the certificate issuer information, I could use a command such as the one shown below:

$ echo | openssl s_client -connect cisco.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
$

If I only wanted to see the digital fingerprint for the certificate, I could use the command below, which shows the Secure Hash Algorithm 1 (SHA-1) value for the certificate:

$ echo | openssl s_client -connect cisco.com:443 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=7A:48:D0:1C:55:C5:38:90:F6:5B:6D:E5:FD:2E:4F:13:D8:DE:23:9A
$

Related articles:

  1. Extracting information from a pem file
    Date: January 25, 2017

References:

  1. Checking A Remote Certificate Chain With OpenSSL
    By: Paul Kehrer
    Date: March 14, 2009
    langui.sh Languishing since 2008.