Find out what CAs a webserver will accept

Here is a handy command to find out what CAs are accepted by a website.  When your website is configured to require client PKI certificates with the SSLVerifyClient require directive, it will only accept client certificates issued by CAs that you trust as defined in your SSLCACertificateFile  directive.

We usually set our up like this:

SSLCACertificateFile /etc/httpd/ssl/ca-bundle.crt

If you want to verify what is in that file for a remote host without going to the server you can run this command from any client.  It will simulate a web client and the server tells it what CAs are trusted and it will print them out.  Pretty neat!

openssl s_client -showcerts -connect –prexit


This entry was posted in Uncategorized. Bookmark the permalink.