How to view certificate chain using openssl

Question

I use a mixture of Windows, Linux, and Macs and have noticed big differences in how each OS shows certificate details using the default tools available in each.

The way Windows displays certificate details is very succinct. Specifically, the certificate chain. See screenshot as an example. And here it is again in Windows, but using the certutil tool. (okay it's inspecting a pfx but you get the point). However on a Mac, this is how it shows the same cert in Keychain Access. As you can see, it doesn't have a nice hierarchical view that makes it easy to identify the certificate chain that Windows or certutil shows - at least not to my (possibly) untrained eyes. I also haven't figured out a way to show the certificate chain using openssl either, for example, the following command openssl x509 -in certificate.crt -text does not show a hierarchical chain - only the issuer. So is there a way to view a certificate's chain whether it be text or an image using openssl or native Mac tools?

[Edit]: I often create PFX files with the entire certificate chain (bar the root) for distribution within the company I work for. As part of the process I double check that the certs I've downloaded from the issuing CA are correct and that they're in the right order before passing it to openssl to mint the PFX. So to be clear, I'm questioning how to view the chain of a certificate I am working on locally on my computer.

You should click the expand arrow next to "Trust".

Michael Hampton
– Michael Hampton

2020-10-22 14:46:53 +00:00
Commented Oct 22, 2020 at 14:46 — Michael Hampton
– Michael Hampton, Commented Oct 22, 2020 at 14:46

Bert · Accepted Answer · 2020-04-07 15:04:50Z

49

Use showcerts:

openssl s_client -showcerts -connect www.serverfault.com:443

Output with some information removed for brevity:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.stackexchange.com
verify return:1
---
Certificate chain
 0 s:/CN=*.stackexchange.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
*REMOVED*
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
*REMOVED*
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.stackexchange.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits

answered Apr 7, 2020 at 15:04

Bert

3,33316 silver badges14 bronze badges

4

Thanks for the answer - that definitely works when retrieving certs from existing websites. I should have clarified that I'm performing this against a CA-issued cert as part of a larger task of building a cert and its chain to be used for various functions. I'll edit my original question to reflect this.

KFM
– KFM

2020-04-08 01:33:50 +00:00
Commented Apr 8, 2020 at 1:33
This shows the certs sent by the server which should be a full chain except optionally omitting the root, per RFCs 6101 2246 4346 5246. In practice many servers did (and do) this wrong, and (thus) many reliers work around it. E.g. as you show Stack uses a LetsEncrypt cert and follows their (current) advice to send the the Identrust/DST intermediate -- but my Firefox (68esr) ignores it and validates using the ISRG intermediate instead. RFC 8446 largely capitulates on this.

dave_thompson_085
– dave_thompson_085

2020-04-08 06:34:34 +00:00
Commented Apr 8, 2020 at 6:34
6

When trying to see a cert chain via -showcerts, watch for error message "verify error:num=20:unable to get local issuer certificate" and message "verify error:num=21:unable to verify the first certificate". This seems to mean that openssl doesn't recognize a certificate in the chain. When this happens it doesn't print the complete chain either, making it very difficult to puzzle out what's really going on. Fallback - use a browser that has a larger certificate store than your o/s provides.

chrisinmtown
– chrisinmtown

2020-10-08 01:19:37 +00:00
Commented Oct 8, 2020 at 1:19
4

Is there really no tool in entire OpenSSL which would simply display all the certificate in the chain with their name hashes?

Jari Turkia
– Jari Turkia

2021-08-13 09:35:18 +00:00
Commented Aug 13, 2021 at 9:35
1

awk '/BEGIN /,/END /{next} 1'

vdm
– vdm

2024-09-04 14:32:29 +00:00
Commented Sep 4, 2024 at 14:32

| Show 2 more comments

Seki · Accepted Answer · 2022-10-25 16:32:25Z

15

From a certificate bundle, you can use crl2pkcs7 that is not limited to a CRL:

openssl crl2pkcs7 -nocrl -certfile server_bundle.pem | openssl pkcs7 -print_certs -noout

From a live server, we need an additional stage to get the list:

echo | openssl s_client -connect host:port [-servername host] -showcerts | openssl crl2pkcs7 -nocrl | openssl pkcs7 -noout -print_certs

Use the -servername parameter in case your host serves multiple domains to get the right certificate.

answered Oct 25, 2022 at 16:32

Seki

2552 silver badges6 bronze badges

1

The "live server" syntax doesn't work for me without the addition of -certfile /dev/stdin (openssl 1.1.0l, 1.1.1n). crl2pkcs7 by default treats its input as a crl: -nocrl, no input.

Martin Dorey
– Martin Dorey

2023-03-14 20:42:38 +00:00
Commented Mar 14, 2023 at 20:42
@dave_thompson_085 I do not have the same experience: on a fedora, the given command on /etc/pki/tls/cert.pem shows only the subject and issuer for each cert of the bundle. Maybe related to the version, I am testing with openSSL 3.0

Seki
– Seki

2023-08-18 11:54:00 +00:00
Commented Aug 18, 2023 at 11:54
You're right, I didn't think through -noout (and it's not version-dependent). It is true this displays info for the certs in the input file whether or not they are a chain as wanted by the Q -- but IF they are supplied by a CA they usually are. A notable exception presently is that LetsEncrypt is still supplying a 'chain' using the expired DST X3 root which is actually invalid and all modern clients actually replace, but LE plans to change this next year so this becomes less of an issue.

dave_thompson_085
– dave_thompson_085

2023-08-23 09:22:02 +00:00
Commented Aug 23, 2023 at 9:22
2

This command worked for me. I wanted to see each full certificate: echo "" |openssl s_client -showcerts google.com:443 | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -noout -print_certs -text | less

HeatfanJohn
– HeatfanJohn

2024-12-05 01:06:07 +00:00
Commented Dec 5, 2024 at 1:06

Add a comment |

oligofren · Accepted Answer · 2020-10-22 07:40:10Z

Just building upon Dave Thompson's answer, this is what you need to verify a certificate bundle/chain consisting of a intermediate and your own leaf:

# split your certificate chain into individual certificates
$ csplit -z -f individual- bundle.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
1977
1850

# verify the chain and show the info in the chain
$ openssl verify -show_chain -untrusted individual-01 individual-00
individual-00: OK
Chain:
depth=0: CN = foobar.example.com (untrusted)
depth=1: C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 CA 2 (untrusted)
depth=2: C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 Root CA

dave_thompson_085 · Accepted Answer · 2020-04-08 06:54:45Z

I can't help for other Mac tools including native. OpenSSL is a pure commandline product with no GUI, although of course you could use the library part (libcrypto) and write your own GUI.

From commandline, openssl verify will if possible build (and validate) a chain from the/each leaf cert you give it, plus intermediate(s) from -untrusted (which can be repeated), and possibly more intermediate(s) to a root (or anchor) in -trusted or -CAfile and/or -CApath or the default truststore, which is usually determined by your system or build but can be overridden with envvars. If this fails it gives an error. In 1.1.0 up if it succeeds and you also specify -show_chain, it displays the subject names of each cert -- which may or may not be enough to identify them. If you only have one cert per subject, that's fairly easy. If you have certs for the same subject from different issuers, looking at the next cert's name (except on the last, which is selfsigned unless you also use -partial_chain) is enough. If you have multiple certs for the same subject and issuer it's harder.

I often create PFX files with the entire certificate chain (bar the root) for distribution within the company I work for. As part of the process I double check that the certs I've downloaded from the issuing CA are correct and that they're in the right order before passing it to openssl to mint the PFX.

Except for the 'bar the root' part, you could reverse this workflow. Instead of manually building and checking the chain and then using it, you could use openssl pkcs12 -export -chain and provide the possible chain certs as (or in) -CAfile and/or -CApath. That would build the chain (actually validating it also as a side-effect) and create a PKCS12 containing only the privatekey and leaf plus valid chain if successful, but give an error and create no output if unsuccessful -- i.e. if you don't have a valid chain.

Thanks for your suggestion! I wasn't fussed whether there was a GUI or not. It's the extracting of the information which was more pertinent to me. If openssl s_client -showcerts as suggested by @Bert could operate on a certificate on my local computer then that would suffice. As it stands today, it appears it cannot. — KFM
– KFM, Commented Apr 14, 2020 at 14:40

Gebb · Accepted Answer · 2025-04-15 08:24:16Z

1

Based on Bert's answer. Extract only the needed parts from the certificates.

echo | openssl s_client -showcerts -connect ADDRESS:PORT \
  -servername HOSTNAME 2>/dev/null | \
  awk 'BEGIN{p=0; cmd="openssl x509 -noout -subject -issuer"}
    /BEGIN/{p=1} p==1{print | cmd} /END/{close(cmd); print "---"; p=0}'

answered Apr 15 at 8:24

Gebb

1113 bronze badges

upvoted, legit answer giving exactly what he asked for. if I knew awk better I'd add automatic indendation to follow the chain.

Florian Heigl
– Florian Heigl

2025-09-12 19:15:34 +00:00
Commented Sep 12 at 19:15

Add a comment |

Hakan54 · Accepted Answer · 2025-07-09 10:33:15Z

I also had the same challenge and next to that I discovered that openssl doesn't return the root ca. I have built an alternative for specifically for this purpose which might be useful for other developers, see here: GitHub - Certificate ripper

Usage

Printing to the console

crip print --url=https://stackexchange.com

Output

Certificate ripper statistics:
- Certificate count

  * 3: https://stackexchange.com
         [cn=stackexchangecom]
         [cn=e6_o=lets-encrypt_c=us]
         [cn=isrg-root-x1_o=internet-security-research-group_c=us]

Certificates for url = https://stackexchange.com

[
[
  Version: V3
  Subject: CN=stackexchange.com
  Signature Algorithm: SHA384withECDSA, OID = 1.2.840.10045.4.3.3

  Key:  Sun EC public key, 256 bits
  public x coord: 43744386230906418572674963079067497116253721776182486177608075486552693802795
  public y coord: 52592616647969244701578043282850582294891540695395986146776624099306492038747
  parameters: secp256r1 [NIST P-256,X9.62 prime256v1] (1.2.840.10045.3.1.7)
  Validity: [From: Sun Jun 29 05:35:49 CEST 2025,
               To: Sat Sep 27 05:35:48 CEST 2025]
  Issuer: CN=E6, O=Let's Encrypt, C=US
  SerialNumber: 06:32:a9:49:12:7f:b9:f6:ff:52:31:cd:ca:94:93:4f:11:a6

Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 81 F5 04 81 F2 00 F0   00 76 00 A4 42 C5 06 49  .........v..B..I
0010: 60 61 54 8F 0F D4 EA 9C   FB 7A 2D 26 45 4D 87 A9  `aT......z-&EM..
0020: 7F 2F DF 45 59 F6 27 4F   3A 84 54 00 00 01 97 B9  ./.EY.'O:.T.....
0030: F6 F8 BB 00 00 04 03 00   47 30 45 02 20 50 A8 49  ........G0E. P.I
0040: D4 22 EA FE 76 59 02 F6   7A E4 FA 86 71 AF C5 C1  ."..vY..z...q...
0050: 4F 11 A9 F3 39 A6 FD E8   31 84 1D 10 D3 02 21 00  O...9...1.....!.
0060: 9D FF EE 3C 46 37 EA 09   A8 39 3A B4 24 59 5D E4  ...<F7...9:.$Y].
0070: 47 9F 3D 1D DA 7C 36 A2   08 17 C6 EC 90 E4 DE F9  G.=...6.........
0080: 00 76 00 CC FB 0F 6A 85   71 09 65 FE 95 9B 53 CE  .v....j.q.e...S.
0090: E9 B2 7C 22 E9 85 5C 0D   97 8D B6 A9 7E 54 C0 FE  ..."..\......T..
00A0: 4C 0D B0 00 00 01 97 B9   F6 F8 DA 00 00 04 03 00  L...............
00B0: 47 30 45 02 21 00 B6 98   C3 D0 ED 05 B7 53 FC FE  G0E.!........S..
00C0: 33 DF BF A3 14 F3 47 CA   01 5C B6 E8 B9 B9 6B AC  3.....G..\....k.
00D0: 3A 9C 20 F1 4A 97 02 20   21 1F F8 1B 98 90 7F ED  :. .J.. !.......
00E0: 26 38 79 F2 6D 6E FD 03   46 A6 20 78 35 E1 EE 7E  &8y.mn..F. x5...
00F0: 4A 7C E5 3B E3 39 7B ED                            J..;.9..


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://e6.i.lencr.org/
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 93 27 46 98 03 A9 51 68   8E 98 D6 C4 42 48 DB 23  .'F...Qh....BH.#
0010: BF 58 94 D2                                        .X..
]
]

[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://e6.c.lencr.org/39.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.meta.stackexchange.com
  DNSName: *.stackexchange.com
  DNSName: stackexchange.com
]

[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 76 A7 85 28 F3 A8 0D 3D   6C D7 1D EA 64 3A B9 3F  v..(...=l...d:.?
0010: 95 DB 7F D9                                        ....
]
]

]
  Algorithm: [SHA384withECDSA]
  Signature:
0000: 30 66 02 31 00 DA 6D E2   4C 55 27 F3 A4 6D 13 C6  0f.1..m.LU'..m..
0010: 10 3B 85 F3 EA 10 58 52   5E 8C 2B 20 12 71 82 3A  .;....XR^.+ .q.:
0020: 22 CD 23 84 5F C5 71 A4   EB 0E C2 25 52 3D 2B 5A  ".#._.q....%R=+Z
0030: D8 1B 07 A6 C8 02 31 00   9E 85 88 7C 37 D6 D7 90  ......1.....7...
0040: D7 4E 62 BB A9 71 84 06   EB 7B 79 56 6F C8 40 3F  .Nb..q....yVo.@?
0050: D7 0E FD 3B 3F 04 7A E1   4A C9 85 69 C9 49 4F 00  ...;?.z.J..i.IO.
0060: F4 14 7D 4B 36 4C A3 6C                            ...K6L.l

]

<========== Next certificate for https://stackexchange.com ==========>

[
[
  Version: V3
  Subject: CN=E6, O=Let's Encrypt, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun EC public key, 384 bits
  public x coord: 33544624214879595901080607494054639950027787097700261428985818556436373079967754716763378306604804536953562479559726
  public y coord: 29282505716550359876088652089175574582220174797112460936156519019942441395880810275610087007658329365784666335133112
  parameters: secp384r1 [NIST P-384] (1.3.132.0.34)
  Validity: [From: Wed Mar 13 01:00:00 CET 2024,
               To: Sat Mar 13 00:59:59 CET 2027]
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  SerialNumber: 00:b0:57:3e:91:73:97:27:70:db:b4:87:cb:3a:45:2b:38

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://x1.i.lencr.org/
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4   01 73 80 08 88 C8 1A 58  y.Y......s.....X
0010: F6 E9 9B 6E                                        ...n
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://x1.c.lencr.org/]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
  serverAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 93 27 46 98 03 A9 51 68   8E 98 D6 C4 42 48 DB 23  .'F...Qh....BH.#
0010: BF 58 94 D2                                        .X..
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 7D 8B 7B 4A 20 35 B2 05   86 08 8A 6E 9E 4E 3A AF  ...J 5.....n.N:.
0010: 80 04 C4 84 5C 33 19 0A   81 48 4D 96 BA EF D4 1D  ....\3...HM.....
0020: B5 84 E6 97 37 FE 66 88   4F 8B 39 36 EB 72 65 3F  ....7.f.O.96.re?
0030: 33 DC AF 0B A3 15 63 BD   F4 18 D1 68 2F C2 21 27  3.....c....h/.!'
0040: C8 FC BE B3 8B A4 C6 36   D8 E3 FA 6D A4 B5 93 D6  .......6...m....
0050: 0C AE D0 D3 97 02 47 A0   66 F2 D3 84 E1 4D 47 81  ......G.f....MG.
0060: 0E 4B 12 F5 18 AE 1E F8   9C 66 A0 5E 75 07 48 17  .K.......f.^u.H.
0070: AE 69 66 E8 69 78 37 06   05 C2 E2 61 AB 10 AF F1  .if.ix7....a....
0080: 0E E6 0C 71 B4 BC 93 9A   0B 07 48 E5 52 05 C1 4E  ...q......H.R..N
0090: 9F D9 60 BF B2 C4 08 FA   BD 8B B9 9F 1F 79 A9 C6  ..`..........y..
00A0: 0A D1 29 2C 47 A4 EA 19   D0 A5 CC 70 1F A1 1E EB  ..),G......p....
00B0: E5 92 51 E7 B6 F7 08 D2   63 0C 43 49 A1 62 3E AA  ..Q.....c.CI.b>.
00C0: B4 C1 52 B6 41 75 46 90   86 DC 83 DD 23 0A 55 09  ..R.AuF.....#.U.
00D0: 0A AE F0 65 7B B3 CB 9B   92 74 73 B3 ED C2 FC 19  ...e.....ts.....
00E0: B5 F5 11 4E A2 23 E9 0E   4C 2F C8 D7 EF 99 0D 78  ...N.#..L/.....x
00F0: 5E 4C AA A8 A2 B9 A1 9F   33 84 3D F6 90 54 50 93  ^L......3.=..TP.
0100: 16 BC B9 94 AE 87 86 93   22 61 71 92 7B B7 F7 06  ........"aq.....
0110: 81 C4 84 57 13 88 CA C6   50 26 41 CE 10 8C 56 68  ...W....P&A...Vh
0120: AB 52 A6 42 A4 20 D0 9F   F5 24 5F 11 94 5B C9 6A  .R.B. ...$_..[.j
0130: CD 55 72 32 EF 62 5B D4   07 6B 7A 9E 93 BA A1 08  .Ur2.b[..kz.....
0140: C1 DE 5F 8F 35 FD 03 A5   01 FB 89 4C 77 5B 3E 40  .._.5......Lw[>@
0150: 8D 00 A2 E8 BD B9 16 3C   84 D3 AA BA 05 9F D0 96  .......<........
0160: 6B 58 76 5F FC 65 86 A8   E1 24 6A 3C 4B 3F E9 C0  kXv_.e...$j<K?..
0170: 22 17 E4 1F E7 38 36 52   46 96 B4 3A 61 97 52 CA  "....86RF..:a.R.
0180: 32 E4 CD 2E 8B 6F B1 7F   7D 1C FE BD 57 67 DA 37  2....o......Wg.7
0190: 27 A0 A1 D4 34 2F 24 C0   A6 BF EF 4F 4D 58 3C 4E  '...4/$....OMX<N
01A0: 3A BC DB 03 2E 02 BE E1   C2 FA 4E BC C2 FD AE 16  :.........N.....
01B0: 72 61 79 49 12 7D DF CC   EB BF F7 6E 24 72 D7 40  rayI.......n$r.@
01C0: 89 2E E6 FD 3E 13 03 B2   E7 D1 DD 9B 43 D3 FC 4A  ....>.......C..J
01D0: FF F3 87 43 57 40 92 8D   D4 7F D9 7B 99 33 79 29  [email protected])
01E0: CA C4 8A 2E 00 F5 70 A8   83 03 E2 11 82 E3 83 0B  ......p.........
01F0: 17 CE F5 CC 98 22 0E 3A   BF D9 85 98 1B F2 1F 4E  .....".:.......N

]

<========== Next certificate for https://stackexchange.com ==========>

[
[
  Version: V3
  Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  params: null
  modulus: 709477870415445373015359016562426660610553770685944520893298396600226760899977879191004898543350831842119174188613678136510262472550532722234131754439181090009824131001234702144200501816519311599904090606194984753842587622398776018408050245574116028550608708896478977104703101364577377554823893350339376892984086676842821506637376561471221178677513035811884589888230947855482554780924844280661412982827405878164907670403886160896655313460186264922042760067692235383478494519985672059698752915965998412445946254227413232257276525240006651483130792248112417425846451951438781260632137645358927568158361961710185115502577127010922344394993078948994750404287047493247048147066090211292167313905862438457453781042040498702821432013765502024105065778257759178356925494156447570322373310256999609083201778278588599854706241788119448943034477370959349516873162063461521707809689839710972753590949570167489887658749686740890549110678989462474318310617765270337415238713770800711236563610171101328052424145478220993016515262478543813796899677215192789612682845145008993144513547444131126029557147570005369943143213525671105288817016183804256755470528641042403865830064493168693765438364296560479053823886598989258655438933191724193029337334607
  public exponent: 65537
  Validity: [From: Thu Jun 04 13:04:38 CEST 2015,
               To: Mon Jun 04 13:04:38 CEST 2035]
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  SerialNumber: 00:82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen: no limit
]

[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4   01 73 80 08 88 C8 1A 58  y.Y......s.....X
0010: F6 E9 9B 6E                                        ...n
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 55 1F 58 A9 BC B2 A8 50   D0 0C B1 D8 1A 69 20 27  U.X....P.....i '
0010: 29 08 AC 61 75 5C 8A 6E   F8 82 E5 69 2F D5 F6 56  )..au\.n...i/..V
0020: 4B B9 B8 73 10 59 D3 21   97 7E E7 4C 71 FB B2 D2  K..s.Y.!...Lq...
0030: 60 AD 39 A8 0B EA 17 21   56 85 F1 50 0E 59 EB CE  `.9....!V..P.Y..
0040: E0 59 E9 BA C9 15 EF 86   9D 8F 84 80 F6 E4 E9 91  .Y..............
0050: 90 DC 17 9B 62 1B 45 F0   66 95 D2 7C 6F C2 EA 3B  ....b.E.f...o..;
0060: EF 1F CF CB D6 AE 27 F1   A9 B0 C8 AE FD 7D 7E 9A  ......'.........
0070: FA 22 04 EB FF D9 7F EA   91 2B 22 B1 17 0E 8F F2  .".......+".....
0080: 8A 34 5B 58 D8 FC 01 C9   54 B9 B8 26 CC 8A 88 33  .4[X....T..&...3
0090: 89 4C 2D 84 3C 82 DF EE   96 57 05 BA 2C BB F7 C4  .L-.<....W..,...
00A0: B7 C7 4E 3B 82 BE 31 C8   22 73 73 92 D1 C2 80 A4  ..N;..1."ss.....
00B0: 39 39 10 33 23 82 4C 3C   9F 86 B2 55 98 1D BE 29  99.3#.L<...U...)
00C0: 86 8C 22 9B 9E E2 6B 3B   57 3A 82 70 4D DC 09 C7  .."...k;W:.pM...
00D0: 89 CB 0A 07 4D 6C E8 5D   8E C9 EF CE AB C7 BB B5  ....Ml.]........
00E0: 2B 4E 45 D6 4A D0 26 CC   E5 72 CA 08 6A A5 95 E3  +NE.J.&..r..j...
00F0: 15 A1 F7 A4 ED C9 2C 5F   A5 FB FF AC 28 02 2E BE  ......,_....(...
0100: D7 7B BB E3 71 7B 90 16   D3 07 5E 46 53 7C 37 07  ....q.....^FS.7.
0110: 42 8C D3 C4 96 9C D5 99   B5 2A E0 95 1A 80 48 AE  B........*....H.
0120: 4C 39 07 CE CC 47 A4 52   95 2B BA B8 FB AD D2 33  L9...G.R.+.....3
0130: 53 7D E5 1D 4D 6D D5 A1   B1 C7 42 6F E6 40 27 35  S...Mm....Bo.@'5
0140: 5C A3 28 B7 07 8D E7 8D   33 90 E7 23 9F FB 50 9C  \.(.....3..#..P.
0150: 79 6C 46 D5 B4 15 B3 96   6E 7E 9B 0C 96 3A B8 52  ylF.....n....:.R
0160: 2D 3F D6 5B E1 FB 08 C2   84 FE 24 A8 A3 89 DA AC  -?.[......$.....
0170: 6A E1 18 2A B1 A8 43 61   5B D3 1F DC 3B 8D 76 F2  j..*..Ca[...;.v.
0180: 2D E8 8D 75 DF 17 33 6C   3D 53 FB 7B CB 41 5F FF  -..u..3l=S...A_.
0190: DC A2 D0 61 38 E1 96 B8   AC 5D 8B 37 D7 75 D5 33  ...a8....].7.u.3
01A0: C0 99 11 AE 9D 41 C1 72   75 84 BE 02 41 42 5F 67  .....A.ru...AB_g
01B0: 24 48 94 D1 9B 27 BE 07   3F B9 B8 4F 81 74 51 E1  $H...'..?..O.tQ.
01C0: 7A B7 ED 9D 23 E2 BE E0   D5 28 04 13 3C 31 03 9E  z...#....(..<1..
01D0: DD 7A 6C 8F C6 07 18 C6   7F DE 47 8E 3F 28 9E 04  .zl.......G.?(..
01E0: 06 CF A5 54 34 77 BD EC   89 9B E9 17 43 DF 5B DB  ...T4w......C.[.
01F0: 5F FE 8E 1E 57 A2 CD 40   9D 7E 62 22 DA DE 18 27  [email protected]"...'

]

The output is the same on every OS. Next to printing you can also export it as shown below:

Exporting to a p12 trustore

crip export p12 --url=https://stackexchange.com

The p12 option can be replaced for pem or der if you want a different output.

Abul · Accepted Answer · 2023-05-02 03:54:38Z

0

I know I am late. But I was looking for a solution for the same problem. After googling for 20 mins, figured out.

if the certificate chain is saved as Base64:

openssl pkcs7 -in certificate_chain.p7b -noout -text -print_certs

if the certificate chain is saved as DER:

openssl pkcs7 -inform DER -in certificate_chain.p7b -noout -text -print_certs

answered May 2, 2023 at 3:54

Abul

1

Add a comment |

ivanleoncz · Accepted Answer · 2023-08-17 17:47:36Z

-1

Connect to server, obtain certificate and output in text format:

echo -n | openssl s_client -connect example.com:443 2> /dev/null | openssl x509 -text

echo -n will prevent openssl hanging.

answered Aug 17, 2023 at 17:47

ivanleoncz

1,8617 gold badges22 silver badges33 bronze badges

4

That displays only the end-entity (server, leaf) cert, not any cert chain (nor even bundle) which is what this Q required. (And no, adding -showcerts doesn't help here; that includes the received but not validated chain in the output of s_client, but x509 reads only the first cert and discards any others.)

dave_thompson_085
– dave_thompson_085

2023-08-18 05:01:27 +00:00
Commented Aug 18, 2023 at 5:01

Add a comment |

Stack Exchange Network

How to view certificate chain using openssl

8 Answers 8

You must log in to answer this question.

Linked

Hot Network Questions

How to view certificate chain using openssl

8 Answers 8

You must log in to answer this question.

Linked

Related

Hot Network Questions