ShowSSL: A Beginner’s Guide to Viewing SSL Certificate Details

ShowSSL: A Beginner’s Guide to Viewing SSL Certificate Details

Understanding SSL/TLS certificates is essential for secure web communication. ShowSSL is a simple tool that helps you inspect certificate details for a given hostname and port. This guide explains what ShowSSL reveals, why those details matter, and how to use it effectively.

What ShowSSL Shows

• Certificate subject and issuer: Who the certificate is for and which Certificate Authority (CA) issued it.
• Validity period: Not Before and Not After dates; indicates whether the certificate is currently valid.
• Public key and signature algorithm: Key type/size (RSA, ECDSA) and hash algorithm (SHA-256, etc.).
• Certificate chain: The server certificate plus any intermediate and root certificates presented.
• Subject Alternative Names (SANs): Domains and subdomains the certificate covers.
• Extensions and usages: Key Usage, Extended Key Usage (e.g., serverAuth), and other critical flags.
• Fingerprints: SHA-1 and SHA-256 hashes for quick verification.
• Protocol and cipher details (if available): TLS version and negotiated cipher suite for the connection.

Why These Details Matter

• Security verification: Ensure the cert is issued by a trusted CA and is within its validity window.
• Hostname coverage: SANs confirm the certificate actually covers the requested domain.
• Algorithm strength: Public key size and signature algorithm affect resistance to attacks.
• Chain completeness: Missing intermediates can cause trust failures in some clients.
• Troubleshooting: Fingerprints and chain info help diagnose mismatches, expired certs, or misconfigurations.

How to Use ShowSSL (basic workflow)

1. Run ShowSSL against a host and port (default HTTPS port 443).
2. Review the top-level certificate subject and issuer to confirm identity.
3. Check the validity period to ensure the certificate is not expired or not-yet-valid.
4. Inspect SANs to confirm domain coverage.
5. Examine the certificate chain to ensure intermediates are present and trusted.
6. Note public key type/size and signature algorithm for security posture.
7. Save fingerprints if you need to verify the same certificate later.

Example Commands and Output (conceptual)

• Command: showssl example.com:443
• Expected output snippets:
  • Subject: CN=example.com
  • Issuer: CN=Example CA
  • Valid: 2025-01-01 to 2026-01-01
  • SANs: example.com, www.example.com
  • Public Key: RSA (2048 bits)
  • Signature: sha256WithRSAEncryption
  • Chain: leaf → intermediate CA → root CA
  • Fingerprints: SHA256:

Common Issues You’ll Detect

• Expired certificates — leads to browser/security warnings.
• Hostname mismatch — SANs don’t include the requested domain.
• Incomplete chain — missing intermediate certificates cause some clients to fail validation.
• Weak algorithms or small keys — indication to rotate to stronger keys or algorithms.
• Self-signed certificates — acceptable in some internal contexts but not generally trusted.

Practical Tips

• Always test both the hostname and any alternate hostnames (www vs non-www).
• Use ShowSSL in scripts to automate periodic certificate checks and alerts.
• Compare fingerprints before and after certificate rotations to confirm updates.
• Combine ShowSSL checks with online CT logs and OCSP/CRL status checks for revocation information.

Next Steps

• Add ShowSSL to a monitoring pipeline for expiry alerts.
• Learn to parse ShowSSL output programmatically for automated reports.
• Explore complementary tools (OpenSSL s_client, browser devtools) for deeper debugging.

This beginner’s guide covers the essentials you’ll get from ShowSSL and why each piece of information matters. Use the workflow and tips above to inspect and maintain SSL/TLS certificates confidently.