Home / server / Questions / 1153517
Accepted
Clay Nichols
Asked: 2024-02-14 03:53:50 +0800 CST

When does this SSL expire?

  • 772

Below are the results from testing the SSL at https://www.ssllabs.com/ssltest/index.html enter image description here

It looks like we have two certificates. Am I reading that right? Does the SSL service (CloudFlare.com) that's using the certificate point to a particular Certificate?

ssl-certificate

2 Answers

  1. Best Answer

    What I can see here in the screenshot is an X.509 cert chain for a domain bungalowsoftware.com.

    Typically the server during TLS handshake will send the leaf cert and intermediate CA certs - between 1 and n. The root CA cert technically could be sent as well, but I don't think this is a common practice.

    You can see the same thing using openssl in your terminal:

    echo "" | openssl s_client -connect bungalowsoftware.com:443       
Connecting to 172.67.139.219
CONNECTED(00000006)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X2
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E1
verify return:1
depth=0 CN=bungalowsoftware.com
verify return:1
---
Certificate chain
 0 s:CN=bungalowsoftware.com
   i:C=US, O=Let's Encrypt, CN=E1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jan 27 00:26:00 2024 GMT; NotAfter: Apr 26 00:25:59 2024 GMT
 1 s:C=US, O=Let's Encrypt, CN=E1
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X2
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C=US, O=Internet Security Research Group, CN=ISRG Root X2
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 3 s:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   i:O=Digital Signature Trust Co., CN=DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
...

    Expiry date of your leaf cert is Apr 26 00:25:59 2024 GMT.

    • 6

  2. That certificate expires on 26 April 2024.

    The other certificates are the intermediate CAs E1 (Let's encrypt) and ISRG Root X2, and the root CA ISRG Root X1 trust anchor bundled in the certificate chain. Those are not yours.

    A browser might show another, cross-signed root CA ISRG X2. Intermediate CA certificates should be bundled and sent along, root CA shouldn't as some mobile clients won't like them and it's of no use anyway as trust anchor need to be present in the client.

    • 5