On 22/12/2014 11:52, Jerry OELoo wrote: > Hi All: > I have used openssl command line to get some website's certificate > chain. Now, I want to show root certificate information. but I do not > find any command argument to do it. > > openssl s_client -showcerts -CApath /etc/ssl/certs -connect > studentexclusives.hsbc.co.uk:443 > > I use -CApath to set root certificate path. > > From below, I can get full certificate path. 3 certificates > > CONNECTED(00000003) > depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU > = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign > Class 3 Public Primary Certification Authority - G5 > verify return:1 > depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU > = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign > Class 3 Secure Server CA - G3 > verify return:1 > depth=0 C = GB, ST = London, L = London, O = HSBC Holdings plc, OU = > HTSE, CN = studentexclusives.hsbc.co.uk > verify return:1 > > > But in certificate chain, I only get 2 certificates information (I > think this two are return by website.) > > --- > Certificate chain > 0 s:/C=GB/ST=London/L=London/O=HSBC Holdings > plc/OU=HTSE/CN=studentexclusives.hsbc.co.uk > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use > at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure > Server CA - G3 > -----BEGIN CERTIFICATE----- > ... > -----END CERTIFICATE----- > 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use > at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure > Server CA - G3 > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 > VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public > Primary Certification Authority - G5 > -----BEGIN CERTIFICATE----- > ... > -----END CERTIFICATE----- > --- > > Now I want to also display root certificate "VeriSign Class 3 Public > Primary Certification Authority - G5" information, How can I show it? > > Thanks! > This means the web server did not send it, but expects your client/browser to find it (by name) in your local root certificates store, such as /etc/ssl/certs. Look in that directory for "/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5" and dump that filedirectly with openssl x509 -text -in /etc/ssl/certs/somefile.pem Unfortunately no currently released version of s_client knows how to dump out the constructed verification chain, there is only an option to dump the server supplied certificates (regardless if those were used by the client or not). Hopefully some future version will have options to dump either or both lists. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded