In this blog post, we will view the certificate chain of local or remote SSL / TLS certificates. For this, we will use the openssl command.
What is a certificate chain?
A certificate chain is a sequence of digital certificates that are used to establish a trust relationship between a user's device and a secure website or service. Each certificate in the chain is issued by a trusted entity known as a Certificate Authority (CA). The chain typically starts with the end-entity certificate (the one issued to the website or service), followed by one or more intermediate certificates, and ends with a root certificate issued by a trusted CA.
Example: Download CA certificate
For our example, we will download and examine the contents of the CA certificate chain of the cacert.pem file from the official curl website.
https://curl.se/docs/caextract.html
Save the file locally somewhere.
View certificate chain of local SSL / TLS certificate
To view the SSL / TLS certificate chain of this pem file cacert.pem stored locally, this is what you do:
openssl crl2pkcs7 -nocrl -certfile cacert.pem | openssl pkcs7 -print_certs -noout
That's all. It will print the subject and issuer key values.
$ openssl crl2pkcs7 -nocrl -certfile ~/.cacert.pem | openssl pkcs7 -print_certs -noout subject=/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority subject=/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 issuer=/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 subject=/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 issuer=/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA ... subject=/C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia TLS RSA Root CA issuer=/C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia TLS RSA Root CA subject=/C=DE/O=D-Trust GmbH/CN=D-TRUST EV Root CA 2 2023 issuer=/C=DE/O=D-Trust GmbH/CN=D-TRUST EV Root CA 2 2023 subject=/C=CH/O=SwissSign AG/CN=SwissSign RSA TLS Root CA 2022 - 1 issuer=/C=CH/O=SwissSign AG/CN=SwissSign RSA TLS Root CA 2022 - 1 subject=/C=CH/O=OISTE Foundation/CN=OISTE Server Root ECC G1 issuer=/C=CH/O=OISTE Foundation/CN=OISTE Server Root ECC G1 subject=/C=CH/O=OISTE Foundation/CN=OISTE Server Root RSA G1 issuer=/C=CH/O=OISTE Foundation/CN=OISTE Server Root RSA G1
View certificate chain of remote SSL / TLS certificate
To view the SSL / TLS certificate chain of a website, for example, xkcd.com, we do this:
echo | openssl s_client -connect xkcd.com:443 -showcerts | openssl crl2pkcs7 -nocrl | openssl pkcs7 -noout -print_certs
Output:
$ echo | openssl s_client -connect xkcd.com:443 -showcerts | openssl crl2pkcs7 -nocrl | openssl pkcs7 -noout -print_certs depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign verify return:1 depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2025 Q3 verify return:1 depth=0 CN = i.ssl-67-default.ssl.fastly.net verify return:1 DONE
Another one. I want to view the SSL / TLS certificates for uis.edu.
echo | openssl s_client -connect uis.edu:443 -showcerts | openssl crl2pkcs7 -nocrl | openssl pkcs7 -noout -print_certs
Output:
$ echo | openssl s_client -connect uis.edu:443 -showcerts | openssl crl2pkcs7 -nocrl | openssl pkcs7 -noout -print_certs depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = US, O = Internet2, CN = InCommon RSA Server CA 2 verify return:1 depth=0 C = US, ST = Illinois, O = University of Illinois, CN = www.uis.edu verify return:1 DONE
Conclusion
Hopefully, this blog post will help you read and find information in certificate bundle chains. If you have questions, please feel free to add a comment here or email me. Thanksf for reading.
Related Posts
If you have any questions, please contact me at arulbOsutkNiqlzziyties@gNqmaizl.bkcom. You can also post questions in our Facebook group. Thank you.