Dealing with certificates
Certificates must be in PEM format and can require hashing for OpenSSL to find the correct certificate.
To find out which server certificate is required
To find out which server root certificate is required by a secured website or web
service, use the OpenSSL command openssl s_client –showcerts –connect
host:port. For example:
openssl s_client -showcerts -connect ccapi.client.qvalent.com:443
In the output of the command you find the certificate chain that is used by the secured connection. Look for the words “Certificate chain”. Under these words you find text that resembles this:
0 s:/C=AU/ST=NSW/L=Wallsend/O=QVALENT Pty Ltd/OU=Terms of use at www.verisign.com/rpa (c)00/CN=ccapi.client.qvalent.com
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
---
The issuer of a certificate, preceded with “i:” in the output, is the subject of the certificate, preceded with “s:” in the output that is next in the chain.
The required root certificate is the one whose subject equals the issuer of the last certificate in the chain.