how s_client present client certificate chain

Question

I am trying to test whether my certs and server certs work correctly by using openssl s_client.

openssl s_client -cert mycert -key mykey -CAfile CA.cert -connect host:name

But this tool only allow you to present my certificate, rather than the whole chain. If the server only trust the the root CA, rather than all intermediate CAs, this command will fail.

Does any body know how to get around this issue, i.e. How can present the whole client certificate chain to server

Also, are there any command that can test ssl connection with java keystore and truststore?

Answer 1

The -CAfile can actually contain more than one certificate if you use a PEM file. Simply copy and paste the root certificate plus any intermediate certificates in that file, then s_client will correctly present the entire chain instead of only the end entity certificate.

I don't know of a command line tool for testing SSL connections with Java, but it shouldn't be that hard to write your own using Http(s)URLConnection and a custom SSLSocketFactory.

Answer 2

You can use SSH Secure Shell from here as a command line tool for testing SSL connections with Java.