It seems more and more of the general population is starting to take notice of SSL. They expect websites to use it (and are quick to point out when they’re not). I’m excited that people are recognizing when a site uses SSL and I’m eager to take that knowledge even further. Beyond just triggering the padlock and HTTPS in browsers, there’s quite a bit more going on within the details of an SSL Certificate.
What Can You Learn from Digging into the Certificate Details?
There’s a lot of information in a certificate, including basic things like:
- Validity Period.
- Issuing Certificate Authority (CA).
- Subject (the domain it was issued to and depending on the type of certificate, identifying information about the company operating the site).
Certificate contents also cover technical aspects, such as:
- Key Usage.
- CRL Information.
- Signing and Hashing Algorithms Underlying the Encryption.
This information can be found from right within your browser! Clearly, the importance of these things is going to vary person to person and I don’t expect everyone to start diving into the certificate of every site they visit, but I do want to raise awareness that this type of information exists and how to find it. So let’s get to it.
How to View SSL Certificate Details
Since browsers are updated fairly regularly and SSL presentation in particular is currently undergoing quite a lot of change, I will be updating the sections below as new versions are released. I've noted the versions I used for testing, but for the most part, the same steps should apply for older versions as well.
Chrome - Desktop(v.63)
I'm very excited that Chrome has brought back the ability to access certificate details right from the main browser interface. This functionality disappeared for a little while (~v55 - v60) and you had to go through a few mouse clicks to find this info, but now it's very easy. Hooray!
1. Click the padlock in the URL bar. This will trigger a dropdown; click the "Valid" link in the Certificate section.
EV Certificate in Chrome 68
2. This will bring up the Certificate window where you can click through to your heart’s content. Certificate contents (e.g. subject, validity period, algorithms) are on the “Details” tab.
Certificate details in Chrome
Chrome - Mobile
Similar to the desktop version, the Android Chrome app makes it pretty easy to dive into certificate details.
1. Click the padlock icon next to the URL. Then click the "Details" link.
SSL Certificate in Android Chrome App v.67
2. From here you can see some more information about the certificate and encrypted connection, including the issuing CA and some of the cipher, protocol, and algorithm information. To view details more details about the certificate itself, including the validity period and subject details, click "Certificate Information".
SSL Connection Details in Android Chrome App v.67
3. You can view details for the other certificates in the path by clicking on the dropdown menu highlighted below.
Full Certificate Details in Android Chrome App v.67
Unfortunately, as of this writing at least, it doesn't look like you are able to view much of anything about certificates in the iOS version of Chrome. If you click the padlock icon, you can see the name of the CA that issued the certificate, but that's it. We hope this functionality is added to future versions of the app.
SSL Certificate in iOS Chrome App v.68
The latest version of Firefox provides a little more information about the certificate directly in the main browser interface, with the ability to dive into further details with just a few clicks.
1. Clicking the padlock in the address bar brings up a preliminary dropdown that indicates a secure connection when properly configured SSL is in place. Click the arrow to the right of the dropdown to view more information about the certificate.
EV Certificate in Firefox 61
2. In the case of Extended Validation (EV) Certificates, you can see some identifying information about the organization operating the site. For non-EV Certificates (Domain Validated and Organization Validated), you will only see which Certificate Authority (CA) issued the certificate - the “Verified by:” section at the bottom of the pop-up. Click the "More Information" link to view more details.
EV Certificate in Firefox
Non-EV (OV) Certificate in Firefox
3. This brings you to the security details of the page, where you’ll find more information about the website identity (for EV Certificates, the company name will be listed as the owner) and the protocols, ciphers and keys underlying the encryption.
Page info of a site using EV in Firefox
4. If you want even more details about the certificate (and who doesn’t?), just click “View Certificate.” On the “Details” tab, you’ll find the certificate hierarchy and can dig through the certificate fields. Have fun!
Certificate details in Firefox
Internet Explorer (v.11)
Like Firefox, IE provides some certificate information from the main interface.
1. Clicking the padlock brings up the issuing CA (“GlobalSign has identified this site as:”) and a note that the connection to the server is encrypted. There is also some identifying information but again this varies between EV vs. non-EV (DV or OV) Certificates. EV Certificates contain the company name and location, while DV and OV only show the domain.
EV Certificate in IE 11
Non-EV (OV) Certificate in IE 11
2. Clicking the “View Certificates” link at the bottom of the pop up takes you right to the certificate details window. Similar to Chrome, certificate contents (e.g. subject, validity period, algorithms) are on the “Details” tab.
Certificate details window in IE
Bad news for Edge users - there is currently no way to view certificate details using the browser. While some information from the certificate is displayed if you click the padlock, including the Root CA the certificate chains up to and some of the subject information, there is unfortunately no way to view the full certificate path or other details such as validity period, signing algorithms, and Subject Alternative Names (SANs). We hope Microsoft adds this functionality into future versions, but until then, here's how to view the information they do include.
1. Click the padlock to view some information from the certificate.
EV Certificate in Edge
DV Certificate in Edge
As you can see in the screenshots above, the type and amount of subject info shown depends on the type of certificate the site is using - EV and OV Certificates display the verified company information included in the certificate's subject fields, but since DV Certificates only vouch for domain ownership, only the domain name is displayed.
Safari (v.11) - MacOSX
Note: As of this writing, there is no way to view certificate details in mobile (iOS) Safari.
1. Click on the padlock (you must click the padlock icon specifically; clicking elsewhere will just make the URL appear) to view more details about your connection to the website. If the site is using an EV Certificate, the name of the issuing CA, the company's name, and the company's address will also be shown. Click the "Show Certificate" button to view more information.
EV Certificate in Safari
Non-EV (OV) Certificate in Safari
2. You can now see the certificate path, expiration date, and validity. To view additional details, including subject, signing algorithms, and other certificate goodies, click "Details".
Certificate Details in Safari
So there you have it; now you can dive into certificates no matter what browser you’re using. Happy inspecting and safe and secure browsing!
p.s. As I said above, I will try and keep this post updated with the latest browser versions, but if you see I’ve fallen behind, please feel free to give me a friendly nudge in the comments.