Check Certificate Chain of webserver

Changing the certificate of a webserver sometimes means also changing the intermediate certificate(s). After reloading the webserver, checking that the certificates are ok is important. Checking the webserver’s own certificate is not a problem, but checking the intermediate chain is a bit more work.

The easiest way to check the webserver certificate is using openssl(1) with the s_client(1) command. The output shows the pem formatted webserver certificate.

The example below makes the check easier, as it shows all the certificates in the chain sent by the webserver, while also interpreting them and presenting them in human readable format.

echo | openssl s_client -connect -showcerts | \
    awk -v FILETMP="$(mktemp)" '
        /-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ \
                print >>FILETMP
        /-----END CERTIFICATE-----/ \
                print "----------------------------"
                system("cat "FILETMP" | openssl x509 -subject -issuer -dates -noout ; echo >"FILETMP)
        END \
                print "----------------------------";
                system("rm "FILETMP)

The openssl s_client(1) needs the “-showcerts” option to printout all the certificates sent by the webserver.

The awk(1) command will create a temporary file. After one certificate is written to the temporary file, the “—–END CERTIFICATE—–” line triggers the execution of another openssl command using x509(1) to show details of the certificate.

The details can be adjusted with the arguments in the openssl x509(1) command (the above example uses “-subject -issuer -dates -noout” to show only the subject, issuer and the two dates (notBefore, notAfter) of the certificate. For other available options, check the openssl x509(1) man page.

After the openssl x509(1) command, the temporary file is cleared for the next certificate.

The output of the different certificates is separated by a line of dashes to make it easier to read. A nice side effect from the call of the openssl s_client(1) is the output of the certificate verification to stderr. This remains in the output and shows the certificates’ verification statuses. Verification errors will appear here if there are any.

A whole script providing even more functionality, like checking a pem file containing multiple certificates, is available in the cert-utils github repository. Using this script makes it even more convenient to check the entire certificate chain.

Read more of my posts on my blog at

This entry was posted in Encryption, Web technologies. Bookmark the permalink.