Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
s_client -showcerts man text misleading: "all certificates in the chain" #4933
The text of
However, when I use
Note that the certificate chain does not include an entry for CN = DST Root CA X3. My understanding of "the whole server certificate chain" is that it includes the certificate of the Root Certificate Authority (CA).
I suspect what is happening is that s_client is showing those certificates which the server sends. This is a reasonable choice, but different from "the whole certificate chain". The server is usually configured to not send the Root CA certificate, because there is not much point. The user won't trust such a certificate just because a server sends it, and the server admin assumes that the user already has a copy in their local store of trusted certificates.
This misunderstanding appears from time to time in user forums about openssl. People expect "the whole chain" to include the CA cert, and it doesn't.
Suggested fix: clarify the wording to say that -showcerts only shows what the server sent.
Also, it would help perhaps to put output in the bottom of the "Certificate chain" section to note that the CA certificate was found in the trusted collection. For example, something like:
Diagnosis: This man text appears to come from
I wrote a branch with documentation clarifications to