1. Openssl S_client Download Ca Certificate
  2. Openssl S_client Download Cert

OpenSSL library, packaged for Visual Studio 2019 (vc142). Compiler: Visual Studio 2019 16.5.4. For a 32-bit system, replace OpenSSL-Win64 with OpenSSL-Win32. Generate Certificates with OpenSSL on Windows Server 2019. You are now ready to use OpenSSL on Windows Server 2019 to generate certificates. Start by exporting OPENSSLCONF. Set OPENSSLCONF=C: OpenSSL-Win64 bin openssl.cfg. For a 32-bit system, replace OpenSSL-Win64 with OpenSSL. OpenSSL: open Secure Socket Layer protocol Version. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

6 min readOpenssl

A good TLS setup includes providing a complete certificate chain to your clients. This means that your web server is sending out all certificates needed to validate its certificate, except the root certificate. This is best practice and helps you achieving a good rating from SSL Labs. In a normal situation, your server certificate is signed by an intermediate CA. With this, your complete certificate chain is composed of the Root CA, intermediate CA and server certificate.

You do get signed your certificate by an intermediate CA and not the Root CA, because the Root CA is normally an offline CA. As the name suggests, the server is offline, and is not capable of signing certificates. Its certificate is included into the build-in root CA list of clients (browsers).The intermediate CA is online, and it`s task is to sign certificates. Compared to the root CA, its own certificate is not included in the built-in list of certificates of clients. Of course, the web server certificate is also not part of this list. For a client to verify the certificate chain, all involved certificates must be verified. Server certificate by intermediate CA, which is verified by Root CA. Client already has the root CA certificate, and at least gets the server certificate. Missing certificate therefore is the one of the intermediate CA.

When a client connects to your server, it gets back at least the server certificate. To validate this certificate, the client must have the intermediate CA. For this, he will have to download it from the CA server. The root CA is pre-installed and can be used to validate the intermediate CA. Well, it should download. But not all server certificates include the necessary information, or the client cannot download the missing certificate (hello firewall!). In that case, it is not possible to validate the server`s certificate. Therefore the server should include the intermediate CA in the response.

Now the client has all the certificates at hand to validate the server. In case more than one intermediate CAs are involved, all the certificates must be included. The chain is N-1, where N = numbers of CAs.

Verify certificate chain with OpenSSL

Enough theory, let`s apply this IRL. Use OpenSSL to connect to a HTTPS server (using my very own one here in the example).


If you cannot interpret the result: it failed. Verify return code:20 means that openssl is not able to validate the certificate chain. The certificate chain can be seen here:

  • 0: the certificate of the server
  • 1: the certificate of the CA that signed the servers certificate (0)
  • s: is the name of the server, while I is the name of the signing CA. To get a clearer understanding of the chain, take a look at how this is presented in Chrome:

The certificates send by my server include its own and the StartCom Class 1 DV Server CA.

Server certificate:

StartCom Class 1 DV Server CA

OpensslOpenssl client download

Missing: Root CA: StartCom Certificate Authority. This is the Root CA and already available in a browser. It`s not available in OpenSSL, as the tool comes without a list of trusted CAs. To “install” the root CA as trusted, OpenSSL offers two paramters:

  • CAfile. Point to a single certificate that is used as trusted Root CA
  • CApath. Point to a directory with certificates going to be used as trusted Root CAs.

I will use the CAfile parameter. For this, I`ll have to download the CA certificate from StartSSL (or via Chrome).


Return code is 0. Now it worked. OpenSSL was able to validate all certificates and the certificate chain is working.

More resources

To perform certain cryptographic operations (creation of a private key, generation of a CSR, conversion of a certificate ...)on a Windows computer we can use the OpenSSL tool.

  • Go to this website: Download link for OpenSSL

  • Go down in the page and choose the version (in .EXE):
    • Win64 OpenSSL v1.X.X : if your OS is 64 bits
    • Win32 OpenSSL v1.X.X : if your OS is 32 bits

  • For some versions of Windows systems, you may need to install 'Visual C ++ 2008 Redistributable'.

Use OpenSSL on a Windows machine

By default, OpenSSL for Windows is installed in the following directory:

  • if you have installed Win64 OpenSSL v1.X.X: C:Program FilesOpenSSL-Win64
  • if you have installed Win32 OpenSSL v1.X.X: C:Program Files (x86)OpenSSL-Win32

To launch OpenSSL, open a command prompt with administrator rights.

b)Generate the private key (.key) and the CSR (Certificate Signing Request)

As part of obtaining (or renewing or reissue) a certificate, you will have to generate a private key and the associated CSR. To do this we advise you to use our online wizard to execute the OpenSSL command with the adequate parameters.
Open a command prompt with Administrators rights (right click - Run as ...). Go to the 'bin' subdirectory from the OpenSSL installation folder.

Example of the command to execut:

Save and keep safe the file containing the private key (.key, and copy / paste only the contents of the file .csr file in the order form.

Issues encountered on Windows while generating a CSR via one command

According to the version of OpenSSL you installed or to the the installation method on Windows, you may encounter error messages such as:

  • config or req is not recognized as an internal or external command
    Check the syntax and the quotes when executing your command.

  • Unable to load config info from /usr/local/ssl/openssl.cnf
    OpenSSL relies here on a Linux default arborescence.

Troubleshooting: execute simplified commands:

- To launch the command prompt, go to the start menu and execute 'cmd'.
- To paste the following command lines in dos command prompt, right click and select paste.
- To go to the repertory in which is installed OpenSSL, execute:

  • The private key is generated with the following command. Define a file name that suits you:
  • then use this command to generate the CSR:
    or this one:

    On some platforms, theopenssl.cnf that OpenSSL reads by default to create the CSR is not good or nonexistent.In this case you can download ourand place it, for example, in C:Program FilesOpenSSL-Win64openssl.cnf:

    • For DigiCert or Thawte server certificates: openssl-dem-server-cert-thvs.cnf
    • For TBS X509 or Sectigo server certificates: openssl-dem-server-cert.cnf

  • You'll be asked by the system to fill-in fields ; Fill them in and respect the instructions (more information onObtain a server certificate)
    Country Name (2 letter code) []: (FR for example)
    State or Province Name (full name) [Some-State]: (the name of your state in full letters)
    Locality Name (eg, city) []: (the name of your city)
    Organization Name (eg, company) []: (the name of your organization)
    Organizational Unit Name (eg, section) []: (let blank - advised - or provide a generic term such as 'IT department')
    Common Name (eg, YOUR name) []: (the name of the site to be secured)
    Email Address []: (let blank)
    Let the other fields blank, they are optional.

So you get 2 files: site-file.key and site-file.csr. Keep the private key file (site-file.key) securely, then copy / paste the content of the site-file.csr file into the order form at TBS CERTIFICATES.
Warning: Never send us or a third party the private key (site-file.key) otherwise the security of your site may no longer be ensured.

OpenSSL: cases of uses

Openssl S_client Download Ca Certificate

OpenSSL is the toolbox mainly used by opensource software for SSL implementation.

  • Generate your command line withour CSR creation assistant tool.

Last edited on 10/21/2020 15:07:17 --- [search]

Openssl S_client Download Cert

© TBS INTERNET, all rights reserved. All reproduction, copy or mirroring prohibited. Legal notice. -- Powered by anwiki
Coments are closed

Most Viewed Posts

  • Databricks Join Dataframes
  • Now My Address
  • Custom Sigil
  • Mediband Paint Pro

Scroll to top