If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) you will need to send the correct hostname in order to get the right certificate. (Often kept offline for security purposes)Trusted Root Authority:  A CA that has been configured as “Trusted” on an SSL client. How to include the whole Certificate Chain in a PEM SSL Certificate, Practical Security: An 80/20 Approach to Fast-tracking Security Hygiene, vSPhere 6.7 – Custom SSL Certificates – Jason . Sometimes you need to know the SSL certificates and certificate chain for a server. Client OS: Windows7 64bit, Internet Explorer Server: Linux 64bit Thanks, Dave Thompson 2014-10-02 17:18:53 UTC. In this step you'll take the place of VeriSign, Thawte, etc. Using openssl to get the certificate from a server (7) With SNI. The cipher used above should work for almost any Apache server, but will fail on IIS since it doesn’t support 256-bit AES encryption.  One way to verify if "keytool" did export my certificate using DER and PEM formats correctly or not is to use "OpenSSL" to view those certificate files. Change ), You are commenting using your Twitter account. Technology, Follow Jason . You’d also need to obtain intermediate CA certificate chain. So make sure that Intermediate.pem is coming from a trusted source before relying on the command above. Connection was made via TLSv1/SSLv3 and the chosen cipher was RC4-MD5. You can also call lab-WDL-DC1-CA an Intermediate CA. It seems openssl will stop verifying the chain as soon as a root certificate is encountered, which may also be Intermediate.pem if it is self-signed. openssl s_client -connect server.linuxadminonline.com:465. Use the Root CA key cakey.pem to create a Root CA certificate cacert.pem Give the root certificate a long expiry date. I may show examples of using OpenSSL, but documenting it’s use is out of scope for this article. 6 min read. So what do you do? From this article you will learn how to connect to a website over HTTPS and check its SSL certificate expiration date from the Linux command-line.. Most of the time, an application like a web server will only need the certificate itself and the associated private key file. There are different reasons. In most cases, you will be asked to provide the certificate and the chain in one PEM certificate file. Some nomenclature:Root Certificate Authority:  The top level of the certificate signing chain. The best way to examine the raw output is via (what else but) OpenSSL.1. In any case, if you have to provide the whole chain, you are generally only given the option of uploading one PEM file. Bob Plankers. So make sure that Intermediate.pem is coming from a trusted source before relying on the command above. The SSL certificate might be used for bi-directional communication and needs the full chain so it knows to trust other servers signed in the chain. Generate a certificate signing request based on an existing certificate openssl x509 -x509toreq -in certificate.crt-out CSR.csr-signkey privateKey.key; Remove a passphrase from a private key openssl rsa -in privateKey.pem-out newPrivateKey.pem; Checking Using OpenSSL. A good TLS setup includes providing a complete certificate chain to your clients. That chain may or may not be in PEM format and may need to be converted using OpenSSL. About This Blog; Retrieve an SSL Certificate from a Server With OpenSSL. Am I missing something during the certificate creation process? $ openssl s_client -connect incomplete-chain.badssl.com:443 -servername incomplete-chain.badssl.com Verify return code: 21 (unable to verify the first certificate) $ curl … If you are doing a lot with SSL, make sure you have OpenSSL configured on your security workstation. Incidentally, this typically means that the server you’re connecting to is IIS. Once that’s satisfied, it issues a certificate that includes the validated information and signs it with the issuing certificate’s private key. Say we have 3 certicate chain. Use -showcerts flag to show full certificate chain, and manually save all intermediate certificates to chain.pem file: openssl s_client -showcerts -host example.com -port 443