ウェブサーバーに接続し証明書取得
root.cert … ルート証明書(PEMファイル)
「-CAfile」でルート証明書を指定すると結果に「Verify return code: 20」が表示されなくなる。
openssl s_client -connect www1.example.com:443 -showcerts
openssl s_client -connect www1.example.com:443 -showcerts -CAfile root.cer「-quiet」を指定すると、証明書の階層のみ表示され簡易表示となる。
openssl s_client -connect www1.example.com:443 -quiet
openssl s_client -connect www1.example.com:443 -quiet -CAfile root.cer簡易表示
○ 中間CA証明書が設定されている場合
「-CAfile」でルート証明書を指定すると、depth=0, 1, 2が表示される。
depth=2がルート証明書で、引数で指定しているため表示されている。
depth=1が中間CA証明書で、正常に取得できている。
depth=0がTLSサーバー証明書。
openssl s_client -connect www1.example.com:443 -quiet
depth=1 C = JP, ST = Tokyo, O = CA, CN = SCA01
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify return:1
openssl s_client -connect www1.example.com:443 -quiet -CAfile C:\OpenSSL\RCA-PEM.cer
depth=2 C = JP, ST = Tokyo, O = CA, CN = RCA
verify return:1
depth=1 C = JP, ST = Tokyo, O = CA, CN = SCA01
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify return:1○ 中間CA証明書とルート証明書が設定されている場合
depth=2がルート証明書。
depth=1が中間CA証明書。
depth=0がTLSサーバー証明書。
openssl s_client -connect www1.example.com:443 -quiet
depth=2 C = JP, ST = Tokyo, O = CA, CN = RCA
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=2 C = JP, ST = Tokyo, O = CA, CN = RCA
verify return:1
depth=1 C = JP, ST = Tokyo, O = CA, CN = SCA01
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify return:1
openssl s_client -connect www1.example.com:443 -quiet -CAfile C:\OpenSSL\RCA-PEM.cer
depth=2 C = JP, ST = Tokyo, O = CA, CN = RCA
verify return:1
depth=1 C = JP, ST = Tokyo, O = CA, CN = SCA01
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify return:1× 中間CA証明書が設定されていない場合
階層が取得できず、depth=0の表示のみとなる。
openssl s_client -connect www1.example.com:443 -quiet
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify return:1
openssl s_client -connect www1.example.com:443 -quiet -CAfile C:\OpenSSL\RCA-PEM.cer
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify return:1詳細表示
○ 中間CA証明書が設定されている場合
depth=1が中間CA証明書。
depth=0がTLSサーバー証明書。
「-CAfile」でルート証明書を指定しないため、depth=1で「Verify return code: 20」が表示される。
openssl s_client -connect www1.example.com:443 -showcerts
CONNECTED(000001B0)
depth=1 C = JP, ST = Tokyo, O = CA, CN = SCA01
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify return:1
---
Certificate chain
0 s:C = JP, ST = Tokyo, O = CA, CN = *.example.com
i:C = JP, ST = Tokyo, O = CA, CN = SCA01
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 27 02:00:39 2022 GMT; NotAfter: Aug 29 02:00:39 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFQzCCAyugAwIBAgIUc/97bpnhRvhnS9tyxlMZ5fQ6QIUwDQYJKoZIhvcNAQEL
BQAwOjELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEO
MAwGA1UEAwwFU0NBMDEwHhcNMjIwNTI3MDIwMDM5WhcNMjQwODI5MDIwMDM5WjBC
MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xCzAJBgNVBAoMAkNBMRYwFAYD
VQQDDA0qLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA38Z7SSPukxTrYK53WKqO+JHJn7qPAnJ9l7F41/duJ8VxuytaiBrtAiC3hhFc
fD2L2WlL1m4ltWpY7h3Ai1gB9sxwTIXq5kAghvkvVeI5kF5qhvcoUyu2uQRDNheL
/dX+mxl7QWatA62IOQ3zwVDD7mCIFINZTa9EGm23B8mf5IvzsoAKzjsdT4iFh6WE
iHJrb5YnhKd4SN/xIAS2kds8aFtV0j0QujVo+5bC5SwKMzrbsZYajq7k6juT3fzb
cK/SkaWbXOpkhi2DI/WrR3z85N2PfIbyIGPNHImPavdNKPoL/FP8zsutIz4Xv5um
6Wymjj4/jTzLz6G+KlTy2UYrIQIDAQABo4IBNzCCATMwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA1BgNVHR8ELjAsMCqgKKAm
hiRodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9TQ0EwMWNybC5jcmwwPQYIKwYBBQUH
AQEEMTAvMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9TQ0Ew
MS5jcnQwHgYDVR0RBBcwFYINKi5leGFtcGxlLmNvbYcEwKgAoDAsBglghkgBhvhC
AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHD/
ZeIvoFI74mBHhB3MWKVg0z/wMB8GA1UdIwQYMBaAFJlFGFWi3lod1aR2JbTDPVZx
/Z0+MA0GCSqGSIb3DQEBCwUAA4ICAQCk+2OY4ApJcsuSC7HXcn6sXvmQiPMVdZM1
O3wqo6lZ9zQl8kk0J887OBJrekS6ss0uZs2a7H6Cf+EioYU9a83GxV2JLawjG3Py
IoLdjMyAHabiESp68JCy/RxJ6n6cEiKEI1pSVgkqPmkEJHrTm7PCPP7Nb1cjFRPG
Rocu13TyBXyuMTqrqSDOauMTF/sZgtQmTOr7LY6TOJl90t4Hx5Y43HUaUQjG+0KN
jWfFOjwDP9KW6dDN0jK42pEH16zLTUvyBmg38Wl/G+WPHmTd1+ywejRKjFrVGgMV
pIPGuCzXr0kAk9CWQE5LHR/H+W0uDaGLOrbISuYJ1qqQvneUCLZmBqKBAEXzhdPQ
9uAvdagVxMfsJno5DGWfxR3eJVPp3PA3v82IC139Qy5gdl/MsBjJHzKbgc+5nIZk
fH780KJLqUR6fbHW34lsVS81ksosY6l1HMHtkdTqQAo9OKf+BWcxi5JVEpfiOoPP
iB0OsfzvtPsgGprqI9lyJV6a60SH2q02OVvPn2UVaffzwc86c6MzDn2oRHryF4Rd
O67O7mJfWx+4KGXIx/QEHrJAG0WQZ428wxqY1OwYh/bPnJBFtoj/KcfDkL20ZLSs
u97ZbBP5SMTV7LUekHZnTb/U/A+ZP04VAjRBQ+H/6hGfbG9frptjHAragMUuFgU2
/tfAWUKbpA==
-----END CERTIFICATE-----
1 s:C = JP, ST = Tokyo, O = CA, CN = SCA01
i:C = JP, ST = Tokyo, O = CA, CN = RCA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: May 27 01:57:18 2022 GMT; NotAfter: May 23 01:57:18 2037 GMT
-----BEGIN CERTIFICATE-----
MIIF1zCCA7+gAwIBAgIUQ1pa3A8Dpdw6VDAfFDnF3ukYwy0wDQYJKoZIhvcNAQEL
BQAwODELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEM
MAoGA1UEAwwDUkNBMB4XDTIyMDUyNzAxNTcxOFoXDTM3MDUyMzAxNTcxOFowOjEL
MAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEOMAwGA1UE
AwwFU0NBMDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOwOoVhC/x
kNtSLSsZVp7vvbvpVBgXnvneV9UtSCFkT80PYsJFgVL7InGEOeZiR9IFc06HobxM
3oOwf5cL7EtDFebQurW3korlylzxUrE9S7T0keSoR+ObFw/KUXJAEBwdb/7Zog0M
xo0ffGuY1E0tNki8HGKz+k/PLK9svR0nCARJdhwG5stO3yF9X+0s3pH2ekw7BlU8
kBrRP0ROIzGbWkFGr4eifLu/32Tx6DK4gpk+YYUXh5tMMP0WR/BJ7VDZccJdBU1K
+Cf0c+hJI5+eptBJfL9IkYJ9zBtJ2zFl5ypxw/iXCjp8zcEGDxolohpEJqxu43HU
Q78Kb4dVQNwVwbXgDGcKIdvErwRStF+AQef8etnprFf8WUdiaA7KU4lVi4CsMK/I
TZ5s4U9/7c7QUcj30QbKzL7Aohf7nK73klOjgOP+Km9SFviDUFM+8k6G9npvPglN
VnOkr8mnspchNITwcuRB3UrLYZ0oq7xYG3d+22jho8aojsAUjyoNBvYejFt5p8mG
pTtgjup9FRzpomhStygqFnLbeHXL161Qf44Rqdn0mvuVB/G6No/+FzTrswCv1cbw
h6U5mnqsnLo0noPHMNXX0fHvtNAYtVQZlcOV5aJmOd8vxPOu/gKEucKboBgncVlu
VlSPm//Xy9F417ytCFeGiWUr/uJiv5WQOQIDAQABo4HWMIHTMB0GA1UdDgQWBBSZ
RRhVot5aHdWkdiW0wz1Wcf2dPjAfBgNVHSMEGDAWgBQ3PhtJPK5xciE+D1epcrk2
fQDuvjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAq
MCigJqAkhiJodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9SQ0FjcmwuY3JsMDsGCCsG
AQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL3d3dzEuZXhhbXBsZS5jb20v
UkNBLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAWdwhU71A+t+mtp12Ud0JUhNqNDRV
MeUNdiss6+PD3KOGHTht/MZDjhiyEbLt6nJl4Oh9QZ31vnHR6MzV9Ydr5cLXV7Aj
6GGUP2PbfIYIrodalcZaYL1Brj6ZOl6q0ax8hmcLpCujSQrQLy83ojB/SciW9JKW
uA/rb+Nl3oLzJ4dz0B+5qkdln6AJ/puR1krcdm4lP1JM1msICoQmbm9lge8LcTRP
CmKGZplZCv2H6EKnrC3c7EqyJmt9dNqV+uraE7eu9cYIyoY9w+gx68iv8NgaMYgy
iiJ6JwREbK9si7vL8BX+oVlRyQxsRroqJtMKydhjFJetZwP3ChOPKG4Sq2RWVX5S
RDzMSo5FYVbOC/4WcKQ4bcRbFFwkPWZX4GcURGSpTNato++oqgoCwUELCWoPLqle
jMwmHg1YGi6OioM8VzJeX/TUTspXMtw2UlIP1QGqi++l+kHQ7ZZVwObCTIulMb5X
StqJYmaaAgDBdMhasGtOA4EMNHao3ifvAw5Rc68M3R4KX+IUGno2ug5h3JBIqTjp
9FpLx4cbn+UzhN+9LZ0VUUoR+J87vqRbz1+PAi8F62PWFy7GSe564F4ml3UOXFl9
oidawqJMPQw9zh00lVE5R79TLQvMjUlPaOtfzmzxFUYXMvU8/9rXBm/Grs4Xngli
BzpVwsQgvtHowig=
-----END CERTIFICATE-----
---
Server certificate
subject=C = JP, ST = Tokyo, O = CA, CN = *.example.com
issuer=C = JP, ST = Tokyo, O = CA, CN = SCA01
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3411 bytes and written 402 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 7CCC1AE5343957964C9CF9E007A8755D488C8C9BF26F0E53B54B8E455DD07B34
Session-ID-ctx:
Resumption PSK: C61050CA4853E39F88DB182E706D814326C4C178A65563079B18E327E924A9F48CBA5F55E641B795338478B47E148D1D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d5 b1 53 57 f5 a1 93 f3-2f 91 bb f2 d7 ac 70 9b ..SW..../.....p.
0010 - 13 fa e5 f6 b7 59 72 e1-c0 a0 47 2d c4 3f 05 d2 .....Yr...G-.?..
0020 - 70 1f 71 74 04 58 22 95-dd 4a d0 72 fb 5e 87 fd p.qt.X"..J.r.^..
0030 - e6 3a 45 80 08 45 ba 85-cd e7 a0 94 ca 68 85 f6 .:E..E.......h..
0040 - 19 04 30 c7 25 81 49 0a-f5 02 09 08 65 00 46 ea ..0.%.I.....e.F.
0050 - 82 5c 2b 79 b8 a0 3f 09-97 31 db d0 e8 bf bd 6d .\+y..?..1.....m
0060 - c3 76 cb 11 69 0a 53 81-7c 09 08 8f 35 27 4a 12 .v..i.S.|...5'J.
0070 - 37 c1 78 4b c5 63 db 4b-03 ed d8 6a 0d 41 47 e6 7.xK.c.K...j.AG.
0080 - 44 0c df 0f 58 7d 12 7e-b5 5a 68 bc 16 bb 36 71 D...X}.~.Zh...6q
0090 - fe f3 80 9a d3 f7 89 37-26 d5 5d 47 23 24 a0 7a .......7&.]G#$.z
00a0 - 2b c8 17 49 ba 87 87 19-38 a8 46 73 3e 5b 25 32 +..I....8.Fs>[%2
00b0 - d7 6c 2c 25 26 4f b4 60-37 af 96 3b 24 e6 49 bf .l,%&O.`7..;$.I.
00c0 - 1b fa 99 b9 78 19 0e 9c-63 b9 57 16 c5 c5 91 93 ....x...c.W.....
00d0 - d2 a8 e0 ab bc d3 27 af-f3 e8 0a b8 6d 23 ba 76 ......'.....m#.v
Start Time: 1656361261
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 21E0B3BF719EE05469583A317F4FC290229033678C53B7CA6EFDE67B6964C2E7
Session-ID-ctx:
Resumption PSK: B0CB7D04EBA1FCD379B9362AC23D6442067CA36C63ACDC12EAB71DC2AC359DDBF95F3BAC77006D58F1E7A0130B815378
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d5 b1 53 57 f5 a1 93 f3-2f 91 bb f2 d7 ac 70 9b ..SW..../.....p.
0010 - fb 16 39 98 c0 6b 7e 9f-fc 0a 17 70 36 ae 1a cb ..9..k~....p6...
0020 - 9c ac 5f 44 ce 15 0c d0-06 65 a1 58 b3 d3 20 e5 .._D.....e.X.. .
0030 - 13 d7 c5 7f 02 54 5e 22-74 ae 81 19 78 11 9c 6b .....T^"t...x..k
0040 - dc a4 0a 19 d8 28 c1 cc-0a 86 83 54 03 e2 fb 87 .....(.....T....
0050 - 3a 69 f7 65 10 ae 72 0d-77 84 c6 d6 86 55 67 84 :i.e..r.w....Ug.
0060 - 8d 2e 01 89 0e 64 62 4a-c3 25 9c b4 41 32 75 0e .....dbJ.%..A2u.
0070 - fa 0b 69 66 b1 ee c1 0a-8d ec ac 41 c4 e9 30 a6 ..if.......A..0.
0080 - de 02 ea 2f c7 88 f9 5e-a5 54 89 cd 20 c2 35 53 .../...^.T.. .5S
0090 - 34 83 39 53 27 e6 b0 a2-51 75 6a f3 df ae 07 79 4.9S'...Quj....y
00a0 - fa 16 d2 1f 90 eb 03 59-dc c8 5e fe 01 73 ba 84 .......Y..^..s..
00b0 - 9c 27 c0 28 ff b3 8a 53-96 95 a5 fe 44 d1 61 d1 .'.(...S....D.a.
00c0 - eb fb a8 fa 45 98 ac f2-81 ce 72 a5 5e ba 8c ce ....E.....r.^...
00d0 - c4 b4 e7 71 1f 14 ae 8a-d1 31 bf 52 5b a5 15 25 ...q.....1.R[..%
Start Time: 1656361261
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed○ 中間CA証明書が設定されている場合(ルート証明書を指定)
depth=2がルート証明書。
depth=1が中間CA証明書。
depth=0がTLSサーバー証明書。
「-CAfile」でルート証明書を指定したため、「Verify return code: 20」が表示されない。
openssl s_client -connect www1.example.com:443 -showcerts -CAfile C:\OpenSSL\RCA-PEM.cer
CONNECTED(000001B0)
depth=2 C = JP, ST = Tokyo, O = CA, CN = RCA
verify return:1
depth=1 C = JP, ST = Tokyo, O = CA, CN = SCA01
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify return:1
---
Certificate chain
0 s:C = JP, ST = Tokyo, O = CA, CN = *.example.com
i:C = JP, ST = Tokyo, O = CA, CN = SCA01
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 27 02:00:39 2022 GMT; NotAfter: Aug 29 02:00:39 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFQzCCAyugAwIBAgIUc/97bpnhRvhnS9tyxlMZ5fQ6QIUwDQYJKoZIhvcNAQEL
BQAwOjELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEO
MAwGA1UEAwwFU0NBMDEwHhcNMjIwNTI3MDIwMDM5WhcNMjQwODI5MDIwMDM5WjBC
MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xCzAJBgNVBAoMAkNBMRYwFAYD
VQQDDA0qLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA38Z7SSPukxTrYK53WKqO+JHJn7qPAnJ9l7F41/duJ8VxuytaiBrtAiC3hhFc
fD2L2WlL1m4ltWpY7h3Ai1gB9sxwTIXq5kAghvkvVeI5kF5qhvcoUyu2uQRDNheL
/dX+mxl7QWatA62IOQ3zwVDD7mCIFINZTa9EGm23B8mf5IvzsoAKzjsdT4iFh6WE
iHJrb5YnhKd4SN/xIAS2kds8aFtV0j0QujVo+5bC5SwKMzrbsZYajq7k6juT3fzb
cK/SkaWbXOpkhi2DI/WrR3z85N2PfIbyIGPNHImPavdNKPoL/FP8zsutIz4Xv5um
6Wymjj4/jTzLz6G+KlTy2UYrIQIDAQABo4IBNzCCATMwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA1BgNVHR8ELjAsMCqgKKAm
hiRodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9TQ0EwMWNybC5jcmwwPQYIKwYBBQUH
AQEEMTAvMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9TQ0Ew
MS5jcnQwHgYDVR0RBBcwFYINKi5leGFtcGxlLmNvbYcEwKgAoDAsBglghkgBhvhC
AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHD/
ZeIvoFI74mBHhB3MWKVg0z/wMB8GA1UdIwQYMBaAFJlFGFWi3lod1aR2JbTDPVZx
/Z0+MA0GCSqGSIb3DQEBCwUAA4ICAQCk+2OY4ApJcsuSC7HXcn6sXvmQiPMVdZM1
O3wqo6lZ9zQl8kk0J887OBJrekS6ss0uZs2a7H6Cf+EioYU9a83GxV2JLawjG3Py
IoLdjMyAHabiESp68JCy/RxJ6n6cEiKEI1pSVgkqPmkEJHrTm7PCPP7Nb1cjFRPG
Rocu13TyBXyuMTqrqSDOauMTF/sZgtQmTOr7LY6TOJl90t4Hx5Y43HUaUQjG+0KN
jWfFOjwDP9KW6dDN0jK42pEH16zLTUvyBmg38Wl/G+WPHmTd1+ywejRKjFrVGgMV
pIPGuCzXr0kAk9CWQE5LHR/H+W0uDaGLOrbISuYJ1qqQvneUCLZmBqKBAEXzhdPQ
9uAvdagVxMfsJno5DGWfxR3eJVPp3PA3v82IC139Qy5gdl/MsBjJHzKbgc+5nIZk
fH780KJLqUR6fbHW34lsVS81ksosY6l1HMHtkdTqQAo9OKf+BWcxi5JVEpfiOoPP
iB0OsfzvtPsgGprqI9lyJV6a60SH2q02OVvPn2UVaffzwc86c6MzDn2oRHryF4Rd
O67O7mJfWx+4KGXIx/QEHrJAG0WQZ428wxqY1OwYh/bPnJBFtoj/KcfDkL20ZLSs
u97ZbBP5SMTV7LUekHZnTb/U/A+ZP04VAjRBQ+H/6hGfbG9frptjHAragMUuFgU2
/tfAWUKbpA==
-----END CERTIFICATE-----
1 s:C = JP, ST = Tokyo, O = CA, CN = SCA01
i:C = JP, ST = Tokyo, O = CA, CN = RCA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: May 27 01:57:18 2022 GMT; NotAfter: May 23 01:57:18 2037 GMT
-----BEGIN CERTIFICATE-----
MIIF1zCCA7+gAwIBAgIUQ1pa3A8Dpdw6VDAfFDnF3ukYwy0wDQYJKoZIhvcNAQEL
BQAwODELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEM
MAoGA1UEAwwDUkNBMB4XDTIyMDUyNzAxNTcxOFoXDTM3MDUyMzAxNTcxOFowOjEL
MAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEOMAwGA1UE
AwwFU0NBMDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOwOoVhC/x
kNtSLSsZVp7vvbvpVBgXnvneV9UtSCFkT80PYsJFgVL7InGEOeZiR9IFc06HobxM
3oOwf5cL7EtDFebQurW3korlylzxUrE9S7T0keSoR+ObFw/KUXJAEBwdb/7Zog0M
xo0ffGuY1E0tNki8HGKz+k/PLK9svR0nCARJdhwG5stO3yF9X+0s3pH2ekw7BlU8
kBrRP0ROIzGbWkFGr4eifLu/32Tx6DK4gpk+YYUXh5tMMP0WR/BJ7VDZccJdBU1K
+Cf0c+hJI5+eptBJfL9IkYJ9zBtJ2zFl5ypxw/iXCjp8zcEGDxolohpEJqxu43HU
Q78Kb4dVQNwVwbXgDGcKIdvErwRStF+AQef8etnprFf8WUdiaA7KU4lVi4CsMK/I
TZ5s4U9/7c7QUcj30QbKzL7Aohf7nK73klOjgOP+Km9SFviDUFM+8k6G9npvPglN
VnOkr8mnspchNITwcuRB3UrLYZ0oq7xYG3d+22jho8aojsAUjyoNBvYejFt5p8mG
pTtgjup9FRzpomhStygqFnLbeHXL161Qf44Rqdn0mvuVB/G6No/+FzTrswCv1cbw
h6U5mnqsnLo0noPHMNXX0fHvtNAYtVQZlcOV5aJmOd8vxPOu/gKEucKboBgncVlu
VlSPm//Xy9F417ytCFeGiWUr/uJiv5WQOQIDAQABo4HWMIHTMB0GA1UdDgQWBBSZ
RRhVot5aHdWkdiW0wz1Wcf2dPjAfBgNVHSMEGDAWgBQ3PhtJPK5xciE+D1epcrk2
fQDuvjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAq
MCigJqAkhiJodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9SQ0FjcmwuY3JsMDsGCCsG
AQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL3d3dzEuZXhhbXBsZS5jb20v
UkNBLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAWdwhU71A+t+mtp12Ud0JUhNqNDRV
MeUNdiss6+PD3KOGHTht/MZDjhiyEbLt6nJl4Oh9QZ31vnHR6MzV9Ydr5cLXV7Aj
6GGUP2PbfIYIrodalcZaYL1Brj6ZOl6q0ax8hmcLpCujSQrQLy83ojB/SciW9JKW
uA/rb+Nl3oLzJ4dz0B+5qkdln6AJ/puR1krcdm4lP1JM1msICoQmbm9lge8LcTRP
CmKGZplZCv2H6EKnrC3c7EqyJmt9dNqV+uraE7eu9cYIyoY9w+gx68iv8NgaMYgy
iiJ6JwREbK9si7vL8BX+oVlRyQxsRroqJtMKydhjFJetZwP3ChOPKG4Sq2RWVX5S
RDzMSo5FYVbOC/4WcKQ4bcRbFFwkPWZX4GcURGSpTNato++oqgoCwUELCWoPLqle
jMwmHg1YGi6OioM8VzJeX/TUTspXMtw2UlIP1QGqi++l+kHQ7ZZVwObCTIulMb5X
StqJYmaaAgDBdMhasGtOA4EMNHao3ifvAw5Rc68M3R4KX+IUGno2ug5h3JBIqTjp
9FpLx4cbn+UzhN+9LZ0VUUoR+J87vqRbz1+PAi8F62PWFy7GSe564F4ml3UOXFl9
oidawqJMPQw9zh00lVE5R79TLQvMjUlPaOtfzmzxFUYXMvU8/9rXBm/Grs4Xngli
BzpVwsQgvtHowig=
-----END CERTIFICATE-----
---
Server certificate
subject=C = JP, ST = Tokyo, O = CA, CN = *.example.com
issuer=C = JP, ST = Tokyo, O = CA, CN = SCA01
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3411 bytes and written 402 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: FE592F0CF4F7296BD4057810293635E37422D92A539B4C280AD45F56876B821F
Session-ID-ctx:
Resumption PSK: A431A0EAEB916D04CC326754279813126097CBF2FDDBAC2D8C509EC384D4DA259E23D192BC5E547EDF051BE1BBEE9C8B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d5 b1 53 57 f5 a1 93 f3-2f 91 bb f2 d7 ac 70 9b ..SW..../.....p.
0010 - f2 6b 4e 6b d7 02 29 27-bb c7 1f 75 a7 9c d1 04 .kNk..)'...u....
0020 - 63 31 67 ac 90 e4 45 46-ac b8 03 83 64 dd 25 95 c1g...EF....d.%.
0030 - 13 92 7a 75 94 90 68 4a-02 41 39 ce 56 c0 2f 3b ..zu..hJ.A9.V./;
0040 - df 5e 0e f3 ba ea ed d1-a6 a3 c2 18 48 4e 92 75 .^..........HN.u
0050 - 7e 71 d7 9f 41 5c 70 e4-5c 1f dd 4c ee 3d de cc ~q..A\p.\..L.=..
0060 - 23 4b a8 cd ba e2 a2 ce-aa 5d ac e7 a5 4b 4a 4b #K.......]...KJK
0070 - a4 ca 8d 48 d3 75 c2 1e-74 23 f5 2c c2 d0 98 9e ...H.u..t#.,....
0080 - b2 fb 42 c0 83 fd 12 74-88 9d b7 ab a2 e7 3b 40 ..B....t......;@
0090 - 1d bd dc 37 0b 7a 74 56-74 3d 1b af e8 29 ef 7c ...7.ztVt=...).|
00a0 - 6f 4e c2 5d 93 10 b2 e6-40 39 98 0c c1 e9 ab 55 oN.]....@9.....U
00b0 - a7 2e 56 67 b0 5e 30 b8-f3 9c 78 df a6 58 f3 7c ..Vg.^0...x..X.|
00c0 - 13 7e fa 07 ad 6c 33 00-43 6c e6 b3 fc 69 52 99 .~...l3.Cl...iR.
00d0 - 10 27 8c 91 93 03 03 36-34 c6 e9 18 8a 14 34 94 .'.....64.....4.
Start Time: 1656361869
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 31660546FE807295AEC45B2FB9F42276E15220F5139D7A2C123F2BE4F39448D6
Session-ID-ctx:
Resumption PSK: 3B3C479118FDFC811132C845416131B892BAB75FEFC958CA7F08159A955B41E6DE23DF1DBB225F11760E3D8A08163851
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d5 b1 53 57 f5 a1 93 f3-2f 91 bb f2 d7 ac 70 9b ..SW..../.....p.
0010 - 4c 2e e3 49 35 df 87 e7-ae cf 73 74 e0 28 c5 c3 L..I5.....st.(..
0020 - 86 a2 39 aa 42 00 46 da-72 c5 95 4a cb f0 89 09 ..9.B.F.r..J....
0030 - d5 4a 05 95 f5 59 17 04-e8 5b 97 06 0e e7 8f f6 .J...Y...[......
0040 - 87 ab fa 1e bc f0 78 d0-ff 4a 38 8b c2 9b 5c 07 ......x..J8...\.
0050 - fd 84 a5 0a 9a fb 41 34-ba 6f 23 f7 ff 92 20 bd ......A4.o#... .
0060 - 66 15 87 cf d7 37 f1 1c-40 2c 0a 94 f7 60 5a 34 f....7..@,...`Z4
0070 - f9 c6 d8 d3 d5 1a 05 6d-3e cf 8c 0c 77 97 09 8d .......m>...w...
0080 - 6c 38 94 a4 99 2b 73 54-26 9a b8 f1 e9 4d cb 92 l8...+sT&....M..
0090 - 0d 9d dc f3 a3 bc 20 27-9a 80 6e 9d a8 2e f9 dc ...... '..n.....
00a0 - ec b1 71 cb ad eb e5 69-41 d1 c7 b9 df f5 d9 57 ..q....iA......W
00b0 - 69 ea 79 76 1c d0 e3 95-10 9e 2e f8 ce 2c 62 be i.yv.........,b.
00c0 - e7 15 3b 47 10 f6 83 89-76 95 f9 3e 75 f2 78 41 ..;G....v..>u.xA
00d0 - 6e 11 10 b1 fe 75 84 d7-f1 19 bf 63 f0 58 11 61 n....u.....c.X.a
Start Time: 1656361869
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK× 中間CA証明書が設定されていない場合
階層が取得できず、depth=0の表示のみとなる。
openssl s_client -connect www1.example.com:443 -showcerts
CONNECTED(000001B0)
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = JP, ST = Tokyo, O = CA, CN = *.example.com
verify return:1
---
Certificate chain
0 s:C = JP, ST = Tokyo, O = CA, CN = *.example.com
i:C = JP, ST = Tokyo, O = CA, CN = SCA01
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 27 02:00:39 2022 GMT; NotAfter: Aug 29 02:00:39 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFQzCCAyugAwIBAgIUc/97bpnhRvhnS9tyxlMZ5fQ6QIUwDQYJKoZIhvcNAQEL
BQAwOjELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEO
MAwGA1UEAwwFU0NBMDEwHhcNMjIwNTI3MDIwMDM5WhcNMjQwODI5MDIwMDM5WjBC
MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xCzAJBgNVBAoMAkNBMRYwFAYD
VQQDDA0qLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA38Z7SSPukxTrYK53WKqO+JHJn7qPAnJ9l7F41/duJ8VxuytaiBrtAiC3hhFc
fD2L2WlL1m4ltWpY7h3Ai1gB9sxwTIXq5kAghvkvVeI5kF5qhvcoUyu2uQRDNheL
/dX+mxl7QWatA62IOQ3zwVDD7mCIFINZTa9EGm23B8mf5IvzsoAKzjsdT4iFh6WE
iHJrb5YnhKd4SN/xIAS2kds8aFtV0j0QujVo+5bC5SwKMzrbsZYajq7k6juT3fzb
cK/SkaWbXOpkhi2DI/WrR3z85N2PfIbyIGPNHImPavdNKPoL/FP8zsutIz4Xv5um
6Wymjj4/jTzLz6G+KlTy2UYrIQIDAQABo4IBNzCCATMwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA1BgNVHR8ELjAsMCqgKKAm
hiRodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9TQ0EwMWNybC5jcmwwPQYIKwYBBQUH
AQEEMTAvMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9TQ0Ew
MS5jcnQwHgYDVR0RBBcwFYINKi5leGFtcGxlLmNvbYcEwKgAoDAsBglghkgBhvhC
AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHD/
ZeIvoFI74mBHhB3MWKVg0z/wMB8GA1UdIwQYMBaAFJlFGFWi3lod1aR2JbTDPVZx
/Z0+MA0GCSqGSIb3DQEBCwUAA4ICAQCk+2OY4ApJcsuSC7HXcn6sXvmQiPMVdZM1
O3wqo6lZ9zQl8kk0J887OBJrekS6ss0uZs2a7H6Cf+EioYU9a83GxV2JLawjG3Py
IoLdjMyAHabiESp68JCy/RxJ6n6cEiKEI1pSVgkqPmkEJHrTm7PCPP7Nb1cjFRPG
Rocu13TyBXyuMTqrqSDOauMTF/sZgtQmTOr7LY6TOJl90t4Hx5Y43HUaUQjG+0KN
jWfFOjwDP9KW6dDN0jK42pEH16zLTUvyBmg38Wl/G+WPHmTd1+ywejRKjFrVGgMV
pIPGuCzXr0kAk9CWQE5LHR/H+W0uDaGLOrbISuYJ1qqQvneUCLZmBqKBAEXzhdPQ
9uAvdagVxMfsJno5DGWfxR3eJVPp3PA3v82IC139Qy5gdl/MsBjJHzKbgc+5nIZk
fH780KJLqUR6fbHW34lsVS81ksosY6l1HMHtkdTqQAo9OKf+BWcxi5JVEpfiOoPP
iB0OsfzvtPsgGprqI9lyJV6a60SH2q02OVvPn2UVaffzwc86c6MzDn2oRHryF4Rd
O67O7mJfWx+4KGXIx/QEHrJAG0WQZ428wxqY1OwYh/bPnJBFtoj/KcfDkL20ZLSs
u97ZbBP5SMTV7LUekHZnTb/U/A+ZP04VAjRBQ+H/6hGfbG9frptjHAragMUuFgU2
/tfAWUKbpA==
-----END CERTIFICATE-----
---
Server certificate
subject=C = JP, ST = Tokyo, O = CA, CN = *.example.com
issuer=C = JP, ST = Tokyo, O = CA, CN = SCA01
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1907 bytes and written 402 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 976AA635054AAA7F19AF7FDCC03B1A72858398C68E70994F31275E64EFA2149F
Session-ID-ctx:
Resumption PSK: A9289536A85E4D2B1210220DAD459B759DDDAD955E1137EC333DA19F84F5B20951362CFA3FA993F77CE339C82DFF9EE6
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a2 43 7f 73 03 dd 89 c5-38 06 1b 2f b9 97 55 ba .C.s....8../..U.
0010 - 2d 83 32 72 6f fb cc 9d-8e 4d 51 75 ad 65 63 74 -.2ro....MQu.ect
0020 - da 3e 12 d5 a9 32 fe b9-4e da 69 d2 63 0b ec cd .>...2..N.i.c...
0030 - f4 83 e4 8b 9f a6 01 9d-b1 15 6f 12 4c a5 35 83 ..........o.L.5.
0040 - 48 a7 29 b0 f5 cd 11 dd-05 81 dd 8d 09 e1 dd 93 H.).............
0050 - a8 34 44 cb 9d d2 4b cb-b0 af 70 39 00 a1 ab 46 .4D...K...p9...F
0060 - 0b 93 07 2d 11 b7 fc f2-7c 0a ce e9 55 89 fc 70 ...-....|...U..p
0070 - 46 a3 ce 57 e8 e3 5f 9e-23 2e 26 18 2b f0 b2 4e F..W.._.#.&.+..N
0080 - ed 12 08 17 ac aa c4 d2-4c 75 18 d0 8a a6 49 d7 ........Lu....I.
0090 - c2 55 c5 61 4d 39 7e d7-81 08 61 98 c2 f6 b3 db .U.aM9~...a.....
00a0 - 82 01 a9 33 79 ec 17 f8-51 3c 9d 02 87 a3 d3 02 ...3y...Q<......
00b0 - 76 21 77 1c 09 b8 7e e5-6e fc a6 28 e9 34 c4 b4 v!w...~.n..(.4..
00c0 - 56 54 30 f5 b3 ef 59 f7-02 38 d9 f5 66 f1 35 8f VT0...Y..8..f.5.
00d0 - c5 f4 22 f0 a4 7e 8b 95-12 3d 62 d1 5b 60 3e 48 .."..~...=b.[`>H
Start Time: 1656364095
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 3B6A0B1B8336A526AA4B2430B7E04CAA2EF81666A98BF246DB6B76B78A594A72
Session-ID-ctx:
Resumption PSK: 4E8965FE30545A14864F18BB7E2C6FC4773E26E9F0582EEED3C12B5A92F95B67F7E719F7650D9F1B7969371813B85CBC
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a2 43 7f 73 03 dd 89 c5-38 06 1b 2f b9 97 55 ba .C.s....8../..U.
0010 - 6e b7 75 31 74 95 67 8b-91 1b e8 c8 2e 6a 3f d5 n.u1t.g......j?.
0020 - 79 c5 b4 5e 2b 78 b8 61-92 6b 5d cb d7 20 93 d7 y..^+x.a.k].. ..
0030 - 84 5b 85 00 85 36 73 81-02 fb 19 c2 cc 8c dd 49 .[...6s........I
0040 - 09 a2 7f ce a2 7a 24 df-e9 5d d5 6e e4 c2 71 9b .....z$..].n..q.
0050 - 3e bf 49 87 0e 50 00 a8-bd 25 ab f1 58 39 c7 32 >.I..P...%..X9.2
0060 - 9c 41 eb d7 ba ba 2a 41-ed 83 ae bc d2 9a 70 5c .A....*A......p\
0070 - d5 0c 15 95 06 4d 0c d6-5a 4f cb 48 22 2b dc 4a .....M..ZO.H"+.J
0080 - 34 ee f5 12 07 16 ce b5-59 97 d2 b7 b0 33 9d 8b 4.......Y....3..
0090 - 50 64 40 4b 7c 29 46 82-5e ef a2 23 2e f9 27 48 Pd@K|)F.^..#..'H
00a0 - c7 2b 0a 35 ff a9 2d bb-69 8f 12 0c e8 aa 68 13 .+.5..-.i.....h.
00b0 - 45 90 9b e8 11 bb a6 fe-66 e9 5b c8 37 4e 84 86 E.......f.[.7N..
00c0 - 24 6c f7 34 1e 15 de 08-06 9c 60 0a 1b b5 01 e2 $l.4......`.....
00d0 - 42 f5 ee fc a4 de b6 8f-1d 9b a2 96 c6 5e ab 16 B............^..
Start Time: 1656364095
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK発行元証明書の状態
「Start Time」以下の部分で以下のように表示される。
#検証エラー:ルート証明書が取得できず検証エラー
Start Time: 1614050194
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
#検証エラー:有効期限切れ
Start Time: 1614050490
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
#正常(Verify return code: 0 (ok)と表示される)
Start Time: 1614050272
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
