2

This is a part of curl's verbose output when connecting to the HTTPS site of Google.

* Server certificate:
*        subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
*        start date: 2014-03-12 09:38:30 GMT
*        expire date: 2014-06-10 00:00:00 GMT
*        subjectAltName: www.google.com matched
*        issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
*        SSL certificate verify ok.

From this output is it possible to find out if a website using DV, OV or EV certificates?

I find that it is easy to identify EV certificates as their issuer: field contains either Extended Validation CA or EV CA. But how does one differentiate DV from OV?

A.Jesin
  • 408
  • 2
  • 7
  • Not really a dupe, but related: [How does an end user differentiate between OV and DV certificates?](http://security.stackexchange.com/q/35076/20074) The fields that indicate if it's DV or OV should show same values as in GUI, tho those values are often not really clear and each CA marks those differently. There are some commonalities tho. Check my edit to that answer or the last comment for more info ;) – TildalWave Apr 03 '14 at 11:04

1 Answers1

0

You can only make assumptions based on the contents of the Organization field (DV certificate will either have the domain or "Persona Not Validated" in the organization name field) or in the policy identifier if it is there. Certificate issuers do not follow any unified scheme to differentiate OV vs DV. So, with cURL, you will have to do write your own checks of these fields to get a best guess. More information in this possible duplicate question: How does an end user differentiate between OV and DV certificates?

Community
  • 1
mcgyver5
  • 6,807
  • 2
  • 24
  • 45