View the SSL certificate of a page that immediately redirects to another

Question

So I've googled quite a bit for this but it appears that my google-fu fails me - apologies if this is a trivial and already answered question, I could not find anything about this

I'm trying to diagnose an SSL certificate hostname mismatch. When I visit the url in question, it redirects me to another page that has the correct SSL certificate. However, some clients are reporting that they are receiving an SSL certificate hostname mismatch error. My only assumption is that the redirecting page has the wrong certificate and some clients are letting it slide because it resolves with a new page that has the correct certificate.

(The how and why of the issue isn't really the question)

The question:

From the outside in (aka, as a client in the world) - how would one view the certificate that was delivered by a page that automatically redirects to another page?

score 49 · Accepted Answer · edited Jul 04 '18 at 18:06

49

Use openssl s_client piped to openssl x509:

$ openssl s_client -connect foo.example.com:443 < /dev/null | openssl x509 -text

(Add -servername foo.example.com to the s_client command if the server uses SNI.)

The redirection of stdin from /dev/null for the first invocation of openssl will prevent it from hanging waiting for input.

edited Jul 04 '18 at 18:06

mwfearnley

922

answered Jun 22 '15 at 21:55

EEAA

110,608

mpavey · Answer 2 · 2017-11-27T16:29:38.737

In Firefox 57, if you open the Developer Tools and go to the Network tab:

Make sure Persist Logs is checked
Visit the URL of interest
Click on the top row (i.e., the one corresponding to the request to the server you're interested in, which resulted in the redirect response)
Click on the Security tab (half-way down, still within Network)

This will let you view certificate info such as the issuee common name, issuer details, validity period and fingerprints.

This worked for me on a site responding with a 301 redirect to another HTTPS website. (Unfortunately the accepted answer just gave me the certificate for the final destination page.)

score 6 · Answer 3 · answered Jun 23 '15 at 07:18

6

Also, there is a graphical tool for Windows with detailed text trace: SSL Certificate Verifier Tool and tool description: Verifying The SSL Certificates with a tool and here is an example of how it handles redirects:

enter image description here

answered Jun 23 '15 at 07:18

Crypt32

7,461

score 1 · Answer 4 · answered Jun 22 '20 at 23:11

Try mangling the url, so it fails to redirect. eg: https://www.example.com/>

Depending on the server you may be able to hit a URL that returns an error instead of redirecting. For example if you're visiting an IIS server appendending > to the URL will show an error page, but the cert can then be viewed in the normal way as this prevents the redirect occurring.

score 1 · Answer 5 · answered Jan 14 '22 at 01:03

Attempting this again today, what worked for me on Windows was:

Go to https://www.ssllabs.com/ssltest/ and enter the domain (not URL) you want the certificate for.
Let the SSL report process.
In the output click the Download server certificate button.
Save the output to a *.cer file.
Double-click the file and voila!

score 0 · Answer 6 · edited May 23 '17 at 12:41

As an alternative to the separate programs mentioned in other answers, you can also disable automatic redirection in your browser.

The option to do this varies by browser, here are methods for Firefox and Chrome:

View the SSL certificate of a page that immediately redirects to another

6 Answers6