Troubleshooting

How to verify certificates with openssl

Bruce Wilson

5 min read
How to verify certificates with openssl

From time to time it may be necessary to verify what certificate is being presented by the server that you are connecting to. Sometimes this is a SMTP server or it could be a web server. While there are multiple methods that can be used to validate a certificate presented from a server I am going to be focusing on openssl here.

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. OpenSSL is available for multiple platforms including Linux, MacOS & Windows (via gnuwin32). For this article I will be using the Windows version of OpenSSL which can be downloaded from http://gnuwin32.sourceforge.net/packages/openssl.htm.

The syntax that we use depends on what type of server we are querying. To query a web server you would do the following:

openssl s_client -connect <server>:443

To query a smtp server you would do the following:

openssl s_client -connect <server>:25 -starttls smtp

Where <server> is replaced with the fully qualified domain name (FQDN) of the server we want to check. The output generated contains multiple sections with --- spearators between them. The following example is showing a connection on port 443 against outlook.office365.com. The first section presented is around the connection information:

openssl s_client -connect outlook.office365.com:443
Loading 'screen' into random state - done
CONNECTED(00000274)
depth=1 /C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
verify error:num=20:unable to get local issuer certificate
verify return:0

The next section contains details about the certificate chain:

Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

The actual public server certificate is next:

Server certificate
-----BEGIN CERTIFICATE-----
MIIItjCCB56gAwIBAgIQC74LhQl0K3v4f4DcFGdtVDANBgkqhkiG9w0BAQsFADBL
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSUwIwYDVQQDExxE
aWdpQ2VydCBDbG91ZCBTZXJ2aWNlcyBDQS0xMB4XDTE4MTExOTAwMDAwMFoXDTIw
MTExOTEyMDAwMFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
bjEUMBIGA1UEAxMLb3V0bG9vay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDetpbO/GvfvQExupvq/gN7BYoENrzXfo0vBX08585S3rTFVYRKbo2z
pK6J3QkYklqSwdHz3o4vjqDnizb8fnLl18H689E04NOikUxvDbcKKOWCn3uT0Iom
KftaKNsOn3RyTU21EFhTQZCtMIeO4fNr5wjDoseArGRsKBYvabCOwM3qShL0cBZ3
JHe8DDY7/6nDSZ4w+SzyPOlpvvhEe9Yqo+dWpKctTq7hLsc3Mj+zTxUKetp98zrj
CdnjPh5lL159a8Le2TBNK6dHBm+iuhgc0aHU2LK15evx2zC9h83qJNd9gcLJ85P3
/j2aOIlN7MjZgYT0vvyH+tl/Z23Ds3xRAgMBAAGjggV1MIIFcTAfBgNVHSMEGDAW
gBTdUdCiMXOpc66PtAF+XYxXy5/w9zAdBgNVHQ4EFgQUL0fgu9ydQXD6H71pyHQg
chVi6/AwggIQBgNVHREEggIHMIICA4IWKi5pbnRlcm5hbC5vdXRsb29rLmNvbYIN
Ki5vdXRsb29rLmNvbYILb3V0bG9vay5jb22CDW9mZmljZTM2NS5jb22CDyoub2Zm
aWNlMzY1LmNvbYIXKi5vdXRsb29rLm9mZmljZTM2NS5jb22CDCoub2ZmaWNlLmNv
bYISb3V0bG9vay5vZmZpY2UuY29tghRzdWJzdHJhdGUub2ZmaWNlLmNvbYIbYXR0
YWNobWVudC5vdXRsb29rLmxpdmUubmV0gh1hdHRhY2htZW50Lm91dGxvb2sub2Zm
aWNlLm5ldIIgYXR0YWNobWVudC5vdXRsb29rLm9mZmljZXBwZS5uZXSCFmF0dGFj
aG1lbnRzLm9mZmljZS5uZXSCFiouY2xvLmZvb3RwcmludGRucy5jb22CFioubnJi
LmZvb3RwcmludGRucy5jb22CHWNjcy5sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29t
giFjY3Mtc2RmLmxvZ2luLm1pY3Jvc29mdG9ubGluZS5jb22CGHN1YnN0cmF0ZS1z
ZGYub2ZmaWNlLmNvbYIaYXR0YWNobWVudHMtc2RmLm9mZmljZS5uZXSCCioubGl2
ZS5jb22CFm1haWwuc2VydmljZXMubGl2ZS5jb22CC2hvdG1haWwuY29tgg0qLmhv
dG1haWwuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwgY0GA1UdHwSBhTCBgjA/oD2gO4Y5aHR0cDovL2NybDMuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0Q2xvdWRTZXJ2aWNlc0NBLTEtZzEuY3JsMD+gPaA7hjlo
dHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRDbG91ZFNlcnZpY2VzQ0Et
MS1nMS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYc
aHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUH
AQEEcDBuMCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcHguZGlnaWNlcnQuY29tMEUG
CCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRD
bG91ZFNlcnZpY2VzQ0EtMS5jcnQwDAYDVR0TAQH/BAIwADCCAYAGCisGAQQB1nkC
BAIEggFwBIIBbAFqAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAA
AAFnKjH2xgAABAMARzBFAiEAgkAZ8zzg5y7zMtkNMJN/vjiMrVDSLbf42RIbQfTj
3CcCIAMLMBAi6BIMIt1ayd2qoZ2ksNuUdwz4rLjzM+onPVKXAHcAh3W/51l8+IxD
mV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFnKjH3oQAABAMASDBGAiEA1EeZ3kA3
Y2Jrrx7XG/g/f+WFcJi/+V9V+lOQIibhmOcCIQD6pPK+aHMG44RSJ+3H+REBqTt/
TJRvaz8NeEsqmGpwDwB3ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGF
AAABZyox99QAAAQDAEgwRgIhAOtvqLWoohYOEKq1ncVRfFFXEJBfErOdpmk/5M6d
Go0vAiEAhf41BMtlZy/iYVoB4YEBKVG+a/qfkpqbEgUOuntc0I8wDQYJKoZIhvcN
AQELBQADggEBAFp6MNDlve1g8tdkjdgMjAC9Hb/Av9PvVmclgwnQ2LdQUNIb2Mfy
N74+ZXNvlDjq9uKOLc+XVb+vglukYI9xu4/aPL83sOi9FVnM/A83WbteD7Xv12YE
2KDzWxbX3K228eoFXoK3QYNuuDBHl9l1q3C6J/llE4/DbH5Ycdhz901Ps3vxjDe/
YLRuZjVX/BjkTZZHaw+wKSPkCrtVuJoKkT3z+nh9nTQMMYTMFSR4HBbkZ5Cyqp+O
FlIzpbql18rIQiw+SQ4Yq0ed1PJb2/4Svxf/64iEO4RU5dtQaTQyKusnd81pbFnm
7ZdeSzDmyeMeJ0ZEHAxdwhkF4xbUThDIu6g=
-----END CERTIFICATE-----

Following the server certificate we see the Certificate Subject and Issuer:

subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1

If there is a client certificate sent it would be presented next:

No client certificate CA names sent

We next see details about the particular SSL handshake that occurred:

SSL handshake has read 3563 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 001600003A3AF7E3E3B0322BFC3652F223EA41E9A618AF56B523BCBC68FD4A02
    Session-ID-ctx:
    Master-Key: 81BD1BB5DE7999434F4A901C2E011777F6BB053A2FCA38D3D451C26350520C92C5B94A78CB3EECDC825A5785C9516175
    Key-Arg   : None
    Start Time: 1576695784
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

Next if we query a SMTP server on port 25 with the -starttls smtp parameters we will get back the information from that server. Below is an example of one of the output from this type of query:

openssl s_client -connect contoso-com.mail.protection.outlook.com:25 -starttls smtp
Loading 'screen' into random state - done
CONNECTED(00000264)
depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=mail.protection.outlook.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G3
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G3
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHaTCCBlGgAwIBAgIMV2DAdp0XFDCdLZXeMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzMwHhcNMTgwNTE4MjIwNjU1WhcNMjAwNTE4MjIwNjU1WjB6MQswCQYDVQQGEwJV
UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSQwIgYDVQQDExttYWlsLnByb3RlY3Rp
b24ub3V0bG9vay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCO
yQVha/YiM2n+wMAcn85Dc5foeb6g6zb4d3OhzrN16Y2XbZ0D0m54XD8WUYF0c4W7
1iSk9iIzoczZy0oYT2DRJnwRtYDs3tj21LvEy4uUInWWN+mUU/xjY8hRNaKgwibM
WeaJeH5QflCcHkdptkT0y2uKid2kkwb/aTgfjwKMDxvEQvITlEH2k8lzX57hg+IN
S46tiLbDna7TZ0yJjw3JxLazOMeuvzNt6OA0c7B14xDjqvgPY4U9OE3EKbcUqFnW
kom+D3e0P1x7rvq0UdZVAYCncF2ZRi87X2iRIQUCWU//BghDoFZbMFF8QtSNXDOU
ZI4VpVwpI4KdlWDveCsBAgMBAAGjggQBMIID/TAOBgNVHQ8BAf8EBAMCBaAwgZ4G
CCsGAQUFBwEBBIGRMIGOMEsGCCsGAQUFBzAChj9odHRwOi8vc2VjdXJlLmdsb2Jh
bHNpZ24uY29tL2NhY2VydC9nc29yZ2FuaXphdGlvbnZhbHNoYTJnMy5jcnQwPwYI
KwYBBQUHMAGGM2h0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc29yZ2FuaXph
dGlvbnZhbHNoYTJnMzBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUF
BwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZn
gQwBAgIwCQYDVR0TBAIwADBGBgNVHR8EPzA9MDugOaA3hjVodHRwOi8vY3JsLmds
b2JhbHNpZ24uY29tL2dzb3JnYW5pemF0aW9udmFsc2hhMmczLmNybDCBvAYDVR0R
BIG0MIGxghttYWlsLnByb3RlY3Rpb24ub3V0bG9vay5jb22CFSoubWFpbC5lby5v
dXRsb29rLmNvbYIdKi5tYWlsLnByb3RlY3Rpb24ub3V0bG9vay5jb22CHG1haWwu
bWVzc2FnaW5nLm1pY3Jvc29mdC5jb22CC291dGxvb2suY29tghwqLm9sYy5wcm90
ZWN0aW9uLm91dGxvb2suY29tghMqLnBhbXgxLmhvdG1haWwuY29tMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU8eZvebv00ZfncgjUg0X2
xjMUiAAwHwYDVR0jBBgwFoAUaIa4fXrZbUlrhy8YixU0bNe0eg4wggF/BgorBgEE
AdZ5AgQCBIIBbwSCAWsBaQB2AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9e
oIMPAAABY3VKvgcAAAQDAEcwRQIgNhN4nUQHvJJSzIR/Mv5Hgk0qoNdTQ/ctBk3Z
wHPC/coCIQDNEGm/890DxiIY2VVdGuX++WJxy0J/qeUgrwU4wwfdfAB2AFWB1MIW
kDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABY3VKvjEAAAQDAEcwRQIhAIgZ
e7bOiXkGws4BWEL/C05v9Kly1lAXDzz1nvQE/XPrAiBW+A2N0wVF4AF4YfSKP5+d
7X0lTqcjXyKcAupcQOFx6wB3ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaO
HtGFAAABY3VKvzYAAAQDAEgwRgIhALbsYGjl4N213ofnaN6TNmX51WXg3wR4v0v1
jp7+VA5EAiEAggrCd09ZRUzmFtJHrCHqOv0V47dka58aa1Ij4aY9724wDQYJKoZI
hvcNAQELBQADggEBAKunsQhd6QsNFF96pbCWIYigltPx6EFrCdEe21rOmQWQkoFR
7LwbPJn4g5s+ypnefNUXCUeCtr3PQ5iE/Md7oc+8oQ4tLRdnk6CYlqMLXDjcy0w4
847mtE/QNbKmR3Ma7fL6wAd4eHO9SPrsqn6Hvm+StlqiDAuY5/z/BZ+7W6tOwMz+
34dAzlACkVnzGqK4LgpFIw05mb4ba8mOOEiNeUf5F6VDxQvico13fVCTVEy3gEAC
7t7sNcl77DJ2Cpm7AgEK5TFUlFdpJ1A37xLDgG7H8nv0q2F5DP8hDvXTz04TxeX5
YMRHASDwkq39umk49hJON53d2Nj5h2QcytGrF6Y=
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=mail.protection.outlook.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G3
---
No client certificate CA names sent
---
SSL handshake has read 3591 bytes and written 497 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 68110000CD09B74EBA065BFD1B14AD8CDC598FC2363B7AC4D80D1C1CE15F394B
    Session-ID-ctx:
    Master-Key: 0469C8F70ACF3A97FF1839A9F50A827FD5BBC6ABE732B243260350B7A1C23BB7F87483C37ED751D37BCDFDBCD7C0A547
    Key-Arg   : None
    Start Time: 1576697124
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 SMTPUTF8

In both of these examples the typical information that we use in troubleshooting is the certifcate chain.
e.g. 1:

Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

e.g. 2:

Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=mail.protection.outlook.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G3
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G3
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

Depending on the problem I'm dealing with I'll make a determination on how I want to proceed next. If the system you are connecting from is receiving regular root certificate updates there shouldn't be any issues with the root certificates.

The most common issue that I see around certificates is missing root certificates. These problems are easily resolved by ensuring that you have installed the most recent root certificate update for your system.

If you find that the proper root certificates have been installed on the system the next thing to check is that you can reach the certificate revolcation list (CRL) to verify that the certificate is still valid. This requires internet access and on a Windows system can be checked using certutil.

certutil.exe -verify certificate.cer

At the very bottom of the output you should see:

Leaf certificate revocation check passed

If you don't have access to the internet you will see an error at this point.