Openssl installer for windows: https://slproweb.com/products/Win32OpenSSL.html
Wiki: https://docs.openssl.org/3.5/man1/openssl-s_client/#options
For -showcerts parameter:
Displays the server certificate list as sent by the server: it only consists of certificates the server has sent (in the order the server has sent them). It is not a verified chain.
Globalsign CA website: https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates
Tested against several websites:
• Website include server cert, 2 ICAs (Specially for last ICA, there is another cert with same Subject Key Identifier is self signed and exists in Root store on windows. So when do chain build, the root ca is the self signed cert):
www.google.com
www.baidu.com
• Website only include server cert, ICA:
stackoverflow.com
Openssl command to get ssl cert:
D:\Program Files\OpenSSL-Win64\bin>openssl s_client -connect www.google.com:443 -showcerts > google.txt
Connecting to 2404:6800:4002:819::2004
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=www.google.com
verify return:1
FC300000:error:0A000126:SSL routines::unexpected eof while reading:ssl\record\rec_layer_s3.c:701:
D:\Program Files\OpenSSL-Win64\bin>openssl s_client -connect www.baidu.com:443 -showcerts > baidu.txt
Connecting to 45.113.192.101
depth=2 OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018
verify return:1
depth=0 C=CN, ST=beijing, L=beijing, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com
verify return:1
D:\Program Files\OpenSSL-Win64\bin>openssl s_client -connect stackoverflow.com:443 -showcerts > stackoverflow.txt
Connecting to 172.64.155.249
depth=1 C=US, O=Let's Encrypt, CN=E5
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=stackoverflow.com
verify return:1
Google:
Certificates from openssl:
0 s:CN=www.google.com
i:C=US, O=Google Trust Services, CN=WR2
a:PKEY: EC, (prime256v1); sigalg: sha256WithRSAEncryption
v:NotBefore: Jun 23 08:42:14 2025 GMT; NotAfter: Sep 15 08:42:13 2025 GMT
1 s:C=US, O=Google Trust Services, CN=WR2
i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
a:PKEY: RSA, 4096 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
Cert details
0:
Subject: CN=www.google.com
Thumbprint: 1868D7A66E58DBF04BB653AFBA2B82594F36D873
Issuer: CN=WR2, O=Google Trust Services, C=US
NotBefore: 6/23/2025 4:42:14 PM
NotAfter: 9/15/2025 4:42:13 PM
Subject Key Identifier: 6046398F1C4C0A1E9E0ED9D298D25E545D11E2F6
Authority Key Identifier: DE1B1EED7915D43E3724C321BBEC34396D42B230
1:
Subject: CN=WR2, O=Google Trust Services, C=US
Thumbprint: 66E4161260B100FEE0DE287A9A5293B4C2224AE6
Issuer: CN=GTS Root R1, O=Google Trust Services LLC, C=US
NotBefore: 12/13/2023 5:00:00 PM
NotAfter: 2/20/2029 10:00:00 PM
Subject Key Identifier: DE1B1EED7915D43E3724C321BBEC34396D42B230
Authority Key Identifier: E4AF2B26711A2B4827852F52662CEFF08913713E
2:
Subject: CN=GTS Root R1, O=Google Trust Services LLC, C=US
Thumbprint: 08745487E891C19E3078C1F2A07E452950EF36F6
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
NotBefore: 6/19/2020 8:00:42 AM
NotAfter: 1/28/2028 8:00:42 AM
Subject Key Identifier: E4AF2B26711A2B4827852F52662CEFF08913713E
Authority Key Identifier: 607B661A450D97CA89502F7D04CD34A8FFFCFD4B
Cert chain when build on windows:
1868D7A66E58DBF04BB653AFBA2B82594F36D873 CN=www.google.com
66E4161260B100FEE0DE287A9A5293B4C2224AE6 CN=WR2, O=Google Trust Services, C=US
E1C950E6EF22F84C5645728B922060D7D5A7A3E8 CN=GTS Root R1, O=Google Trust Services LLC, C=US
The Root CA thumbprint is different from above, but actually their Subject Key Identifier is the same: E4AF2B26711A2B4827852F52662CEFF08913713E. Difference is E1C950E6EF22F84C5645728B922060D7D5A7A3E8 is in Root store, while 08745487E891C19E3078C1F2A07E452950EF36F6 is not.
> Get-ChildItem -path cert:\LocalMachine\Root\E1C950E6EF22F84C5645728B922060D7D5A7A3E8
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
E1C950E6EF22F84C5645728B922060D7D5A7A3E8 CN=GTS Root R1, O=Google Trust Services LLC, C=US
> Get-ChildItem -path cert:\LocalMachine\Root\08745487E891C19E3078C1F2A07E452950EF36F6
Get-ChildItem : Cannot find path '\LocalMachine\Root\08745487E891C19E3078C1F2A07E452950EF36F6' because it does not
exist.
Here is the root CA from cert chain (self signed):
(from Root cert store)
Subject: CN=GTS Root R1, O=Google Trust Services LLC, C=US
Thumbprint: E1C950E6EF22F84C5645728B922060D7D5A7A3E8
Issuer: CN=GTS Root R1, O=Google Trust Services LLC, C=US
NotBefore: 6/22/2016 8:00:00 AM
NotAfter: 6/22/2036 8:00:00 AM
Subject Key Identifier: E4AF2B26711A2B4827852F52662CEFF08913713E
Authority Key Identifier:
Issuer of 08745487E891C19E3078C1F2A07E452950EF36F6
(also in root store)
Thumbprint: B1BC968BD4F49D622AA89A81F2150152A41D829C
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
NotBefore: 9/1/1998 8:00:00 PM
NotAfter: 1/28/2028 8:00:00 PM
Subject Key Identifier: 607B661A450D97CA89502F7D04CD34A8FFFCFD4B
Authority Key Identifier:
> Get-ChildItem -path cert:\LocalMachine\Root\B1BC968BD4F49D622AA89A81F2150152A41D829C
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
B1BC968BD4F49D622AA89A81F2150152A41D829C CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Baidu:
Certificates from openssl:
0 s:C=CN, ST=beijing, L=beijing, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com
i:C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Jul 8 01:41:02 2024 GMT; NotAfter: Aug 9 01:41:01 2025 GMT
1 s:C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018
i:OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Nov 21 00:00:00 2018 GMT; NotAfter: Nov 21 00:00:00 2028 GMT
2 s:OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Sep 19 00:00:00 2018 GMT; NotAfter: Jan 28 12:00:00 2028 GMT
Cert details:
0:
Subject: CN=baidu.com, O="Beijing Baidu Netcom Science Technology Co., Ltd", L=beijing, S=beijing, C=CN
Thumbprint: EF0FBE1302E2C4D489BA8FBA88EF6F95DCCF7BE0
Issuer: CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
NotBefore: 7/8/2024 9:41:02 AM
NotAfter: 8/9/2025 9:41:01 AM
Subject Key Identifier: ADCA0054CAD8E594B68F83DA2780284E59243B18
Authority Key Identifier: F8EF7FF2CD7867A8DE6F8F248D88F1870302B3EB
1:
Subject: CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
Thumbprint: DFE83023062B997682708B4EAB8E819AFF5D9775
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
NotBefore: 11/21/2018 8:00:00 AM
NotAfter: 11/21/2028 8:00:00 AM
Subject Key Identifier: F8EF7FF2CD7867A8DE6F8F248D88F1870302B3EB
Authority Key Identifier: 8FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC
2:
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Thumbprint: 0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
NotBefore: 9/19/2018 8:00:00 AM
NotAfter: 1/28/2028 8:00:00 PM
Subject Key Identifier: 8FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC
Authority Key Identifier: 607B661A450D97CA89502F7D04CD34A8FFFCFD4B
Cert chain when build on windows:
EF0FBE1302E2C4D489BA8FBA88EF6F95DCCF7BE0 CN=baidu.com, O="Beijing Baidu Netcom Science Technology Co., Ltd", L=beijing, S=beijing, C=CN
DFE83023062B997682708B4EAB8E819AFF5D9775 CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
D69B561148F01C77C54578C10926DF5B856976AD CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
The Root CA thumbprint is different from above, but actually their Subject Key Identifier is the same: 8FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC. Difference is D69B561148F01C77C54578C10926DF5B856976AD is in Root store, while 0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71 is not.
> Get-ChildItem -path cert:\LocalMachine\Root\D69B561148F01C77C54578C10926DF5B856976AD
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
D69B561148F01C77C54578C10926DF5B856976AD CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
> Get-ChildItem -path cert:\LocalMachine\Root\0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71
Get-ChildItem : Cannot find path '\LocalMachine\Root\0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71' because it does not
exist.
Here is the root CA from cert chain (self signed):
(from Root cert store)
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Thumbprint: D69B561148F01C77C54578C10926DF5B856976AD
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
NotBefore: 3/18/2009 6:00:00 PM
NotAfter: 3/18/2029 6:00:00 PM
Subject Key Identifier: 8FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC
Authority Key Identifier:
Issuer of 0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71
(also in root store)
Thumbprint: B1BC968BD4F49D622AA89A81F2150152A41D829C
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
NotBefore: 9/1/1998 8:00:00 PM
NotAfter: 1/28/2028 8:00:00 PM
Subject Key Identifier: 607B661A450D97CA89502F7D04CD34A8FFFCFD4B
Authority Key Identifier:
> Get-ChildItem -path cert:\LocalMachine\Root\B1BC968BD4F49D622AA89A81F2150152A41D829C
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
B1BC968BD4F49D622AA89A81F2150152A41D829C CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Stackoverflow:
Certificates from openssl:
0 s:CN=stackoverflow.com
i:C=US, O=Let's Encrypt, CN=E5
a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
v:NotBefore: Jun 28 16:19:38 2025 GMT; NotAfter: Sep 26 16:19:37 2025 GMT
1 s:C=US, O=Let's Encrypt, CN=E5
i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
Cert details:
0:
Subject: CN=stackoverflow.com
Thumbprint: E0B417CFA7F9BB42B46EF67B92AF04AB781D5BC0
Issuer: CN=E5, O=Let's Encrypt, C=US
NotBefore: 6/29/2025 12:19:38 AM
NotAfter: 9/27/2025 12:19:37 AM
Subject Key Identifier: FA23C4070AE97BF847F71EEEF651AB4EAA39A345
Authority Key Identifier: 9F2B5FCF3C214F9D04B7ED2B2CC4C6708BD2D70D
1:
Subject: CN=E5, O=Let's Encrypt, C=US
Thumbprint: 5F28D9C589EE4BF31A11B78C72B8D13F079DDC45
Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
NotBefore: 3/13/2024 8:00:00 AM
NotAfter: 3/13/2027 7:59:59 AM
Subject Key Identifier: 9F2B5FCF3C214F9D04B7ED2B2CC4C6708BD2D70D
Authority Key Identifier: 79B459E67BB6E5E40173800888C81A58F6E99B6E
Cert chain when build on windows:
E0B417CFA7F9BB42B46EF67B92AF04AB781D5BC0 CN=stackoverflow.com
5F28D9C589EE4BF31A11B78C72B8D13F079DDC45 CN=E5, O=Let's Encrypt, C=US
CABD2A79A1076A31F21D253635CB039D4329A5E8 CN=ISRG Root X1, O=Internet Security Research Group, C=US
Root CA is in root store:
> Get-ChildItem -path cert:\LocalMachine\Root\CABD2A79A1076A31F21D253635CB039D4329A5E8
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
CABD2A79A1076A31F21D253635CB039D4329A5E8 CN=ISRG Root X1, O=Internet Security Research Group, C=US
Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Thumbprint: CABD2A79A1076A31F21D253635CB039D4329A5E8
Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
NotBefore: 6/4/2015 7:04:38 PM
NotAfter: 6/4/2035 7:04:38 PM
Subject Key Identifier: 79B459E67BB6E5E40173800888C81A58F6E99B6E
Authority Key Identifier:
C# code on windows:
Build cert chain:
var cert = new X509Certificate2(@"D:\Temp\temp_cert\test_cert_sent_from_server\googleserver.cer");
var chain = new X509Chain();
chain.Build(cert);
foreach (var chainCert in chain.ChainElements)
{
Console.WriteLine($"{chainCert.Certificate.Thumbprint} {chainCert.Certificate.Subject}");
}
Check cert properties:
var cert = new X509Certificate2(@"D:\Temp\temp_cert\test_cert_sent_from_server\googleserver.cer");
Console.WriteLine($"Subject: {cert.Subject}");
Console.WriteLine($"Thumbprint: {cert.Thumbprint}");
Console.WriteLine($"Issuer: {cert.Issuer}");
Console.WriteLine($"NotBefore: {cert.NotBefore}");
Console.WriteLine($"NotAfter: {cert.NotAfter}");
Console.WriteLine($"Subject Key Identifier: {GetExtensionValueInHexString(cert, "Subject Key Identifier", 2)}");
Console.WriteLine($"Authority Key Identifier: {GetExtensionValueInHexString(cert, "Authority Key Identifier", 4)}");
public static String GetExtensionValueInHexString(X509Certificate2 cert, string oidFriendlyName, int valueBytesStartIndex)
{
foreach (var extension in cert.Extensions)
{
if (string.Equals(extension.Oid.FriendlyName, oidFriendlyName))
{
return ConvertBytesToString(extension.RawData.Skip(valueBytesStartIndex).ToArray());
}
}
return null;
}
public static string ConvertBytesToString(byte[] bytes)
{
if (bytes != null)
{
var sb = new StringBuilder();
foreach (var b in bytes)
{
var hb = b >> 4;
sb.Append(hb >= 10 ? (char)(hb - 10 + 'A') : (char)(hb + '0'));
var lb = b & 0x0F;
sb.Append(lb >= 10 ? (char)(lb - 10 + 'A') : (char)(lb + '0'));
}
return sb.ToString();
}
return null;
}
浙公网安备 33010602011771号