how-to_‎ > ‎SSL_‎ > ‎

Verify wether a server is sending a verifyable CA chain

posted Feb 4, 2015, 6:59 AM by Daniele Albrizio   [ updated May 22, 2017, 6:07 AM ]
Sometimes some weird hangs or trust problems are being reported on systems using an incomplete certificate repository or non-updated ones.
The only way is to provide the full certification chain server-side.

To verify servers are correctly sending all necessary cryptographic code you may issue the following command:

$ openssl s_client -CAfile /etc/ssl/certs/<your root CA certificate>.pem -connect <server-fqdn>:<ssl-service-port>

e.g. (complete chain: verify error "self signed certificate in certificate chain" may be ignored since it is referring to the root CA AddTrust External CA Root):

$ openssl s_client -CAfile /etc/ssl/certs/DigiCert_Assured_ID_Root_CA.pem -connect gino.units.it:443 | head -15
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=gino.units.it
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFOTCCBCGgAwIBAgIQL5gV6MAGC9mwMq39qSluSDANBgkqhkiG9w0BAQsFADBk


incomplete chain results in following error:

depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 2
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=mail.dimpo.units.it
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
---

Result of complete chain verification should be

    Verify return code: 0 (ok)
---

read:errno=0


Comments