0

If you run the following command :

openssl s_client -showcerts -connect services.americanexpress.com:443

you will get output that looks like:

    CONNECTED(00000005)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
    verify return:1
    depth=0 C = US, ST = Arizona, L = Phoenix, O = American Express Company, CN = services.americanexpress.com
    verify return:1
    write W BLOCK
    ---
    Certificate chain
     0 s:/C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=services.americanexpress.com
       i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
    -----BEGIN CERTIFICATE-----
    MIIHEjCCBfqgAwIBAgIQCbC9MsGd9mdEtuXO/DGOAjANBgkqhkiG9w0BAQsFADBP
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
    aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjA3MDYwMDAwMDBa
    Fw0yMzA3MDUyMzU5NTlaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25h
    MRAwDgYDVQQHEwdQaG9lbml4MSEwHwYDVQQKExhBbWVyaWNhbiBFeHByZXNzIENv
    bXBhbnkxJTAjBgNVBAMTHHNlcnZpY2VzLmFtZXJpY2FuZXhwcmVzcy5jb20wggEi
    MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLy6vuSG/Jlfb9jeOyz0bqE3Tf
    OT2Zo+pkQrR7tY3RczxHXcDQdNMrwOsmWA7saCo1DFcd7PoGkH6sKqz2Kv0UMcsQ
    AngMTEyRIZ34DZ45ZGPX5VIgpXskPSmQ3duRW7zl9oOZn5Jvd8A4xFRL3WSe9MeY
    ZQSKHl7jeWkLZrlfhLTjHS6QRg5zHEcvS7AfpXWhydHDc3yIcmUY+l7wd0nlIRKz
    hGTYX1Ba6rvgK4RcLgTvUz650h8XtDL8Vv6PIv4ImWN3F3Wp0ePR8vgjUut3LGSf
    xqvpPoV15DNvUPXdInKU18K43crFevozOp5iZX5xQ5CfwUbao32eWlx8tvphAgMB
    AAGjggO8MIIDuDAfBgNVHSMEGDAWgBS3a6LqqKqEjHnqtNoPmLLFlXa59DAdBgNV
    HQ4EFgQU4BPjsflC74cIb9T0OQk7YTIgL6YwZgYDVR0RBF8wXYIcc2VydmljZXMu
    YW1lcmljYW5leHByZXNzLmNvbYIec2VydmljZXNpbi5hbWVyaWNhbmV4cHJlc3Mu
    Y29tgh1zZXJ2aWNlczIuYW1lcmljYW5leHByZXNzLmNvbTAOBgNVHQ8BAf8EBAMC
    BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGPBgNVHR8EgYcwgYQw
    QKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU1JTQVNI
    QTI1NjIwMjBDQTEtNC5jcmwwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNv
    bS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwPgYDVR0gBDcwNTAz
    BgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20v
    Q1BTMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln
    aWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5j
    b20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAkGA1UdEwQCMAAw
    ggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB3AOg+0No+9QY1MudXKLyJa8kD08vR
    EWvs62nhd31tBr1uAAABgdVNIEYAAAQDAEgwRgIhAIltUKNyg1kJ3+1xUC40HW6S
    /otj5im5yVD6G1pSAyCjAiEA5bfLcR1k2DdoXXe/Tg1JSQG1sN9N0cZZk6CHkpg8
    3TIAdwA1zxkbv7FsV78PrUxtQsu7ticgJlHqP+Eq76gDwzvWTAAAAYHVTR+zAAAE
    AwBIMEYCIQDgzd/95jefN+UyGr04eZO/x1ttQ5xfami3esD95ZzXtgIhANT1C92j
    KddTtXZxe+MU5kBBur5yxZzUmePpJOONcKaSAHUAs3N3B+GEUPhjhtYFqdwRCUp5
    LbFnDAuH3PADDnk2pZoAAAGB1U0f3wAABAMARjBEAiAz2JIifsNXa2kiBASCHa7q
    RvePn5Y8cTG/HYe99ZitvAIgUXIZhLpAqgiC8xB3xY1SV7I6BT5TdJlo+4vBPB/x
    lrswDQYJKoZIhvcNAQELBQADggEBAHcsOzr4L4KogGkqIttiddki/hxfNwZzxhed
    wjFPzPVw0R1RgboxKCJA0eMotzNSRhAvxC4kzdWFRnXlEYdaKyTCNgMv7/FOnPBk
    Xea1RLvxveaxlmsXYtJXrBYsxG8XISIv+w9YBSpqtvAUdLEoBqg2uBFX5DdM2GqF
    ZQZlXPMBm6Td3MKuwtqYgRo7HJ20jcL5oTIrqf1X48WR0TilE7Lm/0g+czqWXHGo
    8OcBUSnJeliO2OhwgK4v8QSzryI0nB83cDDJ4ib7DTIKVi7419TEKkObAgt6YhAY
    FusWc1ckH5Y78LmhZYRNoUFccKro5+b/cZvC7bD0yXRoyS6ajNk=
    -----END CERTIFICATE-----
     1 s:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    -----BEGIN CERTIFICATE-----
    MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
    QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
    MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
    U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
    AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
    qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
    g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
    raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
    Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
    eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB
    /wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU
    A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
    CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
    GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
    Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV
    HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
    bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB
    MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB
    AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z
    ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h
    qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC
    EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
    ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
    A7sKPPcw7+uvTPyLNhBzPvOk
    -----END CERTIFICATE-----
     2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    -----BEGIN CERTIFICATE-----
    MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
    QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
    MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
    b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
    9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
    CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
    nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
    43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
    T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
    gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
    BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
    TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
    DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
    hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
    06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
    PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
    YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
    CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=services.americanexpress.com
    issuer=/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
    ---
    Acceptable client certificate CA names
    /C=US/ST=Texas/L=Irving/O=Epsilon Data Management, LLC/CN=AMEX-LE.epsilon.com
    /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
    /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
    /C=US/O=TravelPass Group, LLC/CN=Merchant Service Auth/emailAddress=merch-amex-auth@travelpassgroup.com
    /C=US/O=TPG/CN=TPG Client Authentication and Encryption CA R2
    /C=US/O=TPG/CN=TPG Root CA D2
    /CN=aiu.intelliwebservices.com
    /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
    /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    /C=DE/ST=Bayern/L=Muenchen/O=Siemens AG/CN=ihub.gss.siemens.com
    /C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G3
    /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3
    /C=US/ST=Massachusetts/L=Whitinsville/O=Unibank for Savings/CN=UniBank-AMEX-ssl-2022.bank.ufsbancorp.com
    /C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
    /C=US/ST=California/L=San Francisco/O=Wells Fargo & Company/CN=risedp.wellsfargo.com
    /C=US/O=Wells Fargo & Company/OU=Organization Validated TLS/CN=Wells Fargo Public Trust Certification Authority 01 G2
    /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
    /jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/businessCategory=Private Organization/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=winares.webservice.americanexpress.com
    /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
    /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
    /businessCategory=Private Organization/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=Illinois/serialNumber=000622/street=350 S NORTHWEST HWY #300/postalCode=60068/C=US/ST=ILLINOIS/L=PARK RIDGE/O=Accenture LLP/OU=Servers/CN=VA500018.dir.svc.accenture.com
    /C=US/ST=Colorado/L=Centennial/O=Open Technology Solutions, LLC/CN=BETHPAGEprodSSL.open-techs.com
    /C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
    /C=US/ST=Georgia/L=Atlanta/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=Florida/O=Interactive Communications International Inc/businessCategory=Private Organization/serialNumber=P09000046480/CN=partner-amexglobalsanctions-certauth-prod.servevirtual.net
    /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2014 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1M
    /C=US/ST=Colorado/L=Centennial/O=Open Technology Solutions, LLC/CN=SECUprodSSL.open-techs.com
    /businessCategory=Private Organization/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=e3.gfessalesforce.americanexpress.com
    /C=CA/ST=Ontario/L=Toronto/O=Bank of Nova Scotia/CN=mnfcp01.scotiabank.com
    /C=GB/L=Cheadle/O=Conferma Limited/CN=cas438.conferma.com
    /jurisdictionCountryName=BH/businessCategory=Private Organization/serialNumber=27813-1/C=BH/L=Manama/O=AMEX (MIDDLE EAST) B.S.C. (CLOSED)/CN=secure.americanexpress.com.bh
    /jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/businessCategory=Private Organization/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=e3.merchantgeo.americanexpress.com
    /C=US/ST=Texas/L=Irving/O=Epsilon Data Management, LLC/CN=amex-prod-axp-msgsign-request.epsilon.com
    /CN=cardprovider.webjet.com.au
    /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
    /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
    /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
    /C=IL/L=Tel Aviv-Yafo/O=PREMIUM EXPRESS LTD/CN=AmexWalletProdX1.americanexpress.co.il
    /C=US/ST=Georgia/L=Atlanta/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=Florida/O=Interactive Communications International Inc/businessCategory=Private Organization/serialNumber=P09000046480/CN=ecommerce-amex.incomm.com
    /C=US/ST=California/L=Menlo Park/O=Facebook, Inc./CN=prod.amex.fbclientcerts.com
    /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
    /jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/businessCategory=Private Organization/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=blueskyredeem.americanexpress.com
    /C=US/ST=Georgia/L=Atlanta/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=Delaware/O=Delta Air Lines, Inc./businessCategory=Private Organization/serialNumber=654427/CN=datapower.apisoa.delta.com
    /C=US/ST=Florida/L=Tampa/O=Syniverse Technologies, LLC/CN=momutual.mes.syniverse.com
    /OU=Domain Control Validated/CN=es1wwits1.xfcu.org
    /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
    /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
    /businessCategory=Private Organization/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=Delaware/serialNumber=2154254/C=US/ST=New York/L=New York/O=Citigroup Inc./CN=consumersoa.citi.com
    /jurisdictionCountryName=AU/businessCategory=Private Organization/serialNumber=084 571 040/C=AU/ST=New South Wales/L=North Sydney/O=TransAction Solutions Ltd/CN=amex.prod.tasmsp.com
    /CN=amexprod-needham.needhambank.com
    /C=US/ST=Washington/L=Bellevue/O=Expedia, Inc./CN=app-ws-amex.orbitz.net
    /CN=tm-services.tenconcierge.net
    /C=US/O=DigiCert Inc/CN=GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
    /C=DE/ST=Bayern/L=Muenchen/O=Siemens AG/CN=ihub.gss.siemens.com
    /businessCategory=Private Organization/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/OU=TIMS/CN=salesapp-e3-signing.aexp.com
    /C=US/ST=Georgia/L=Atlanta/O=Delta Air Lines, Inc./CN=datapower.apisoa.delta.com
    /CN=client.e3.amex.ezrez.com
    /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
    /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
    /C=AU/ST=New South Wales/L=Kingscliff/O=Southern Cross Credit Union LTD/OU=IT/CN=amexfx-ssl.sccu.com.au
    /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID CA
    /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
    /C=GB/L=London/jurisdictionCountryName=JE/O=Experian PLC/businessCategory=Private Organization/serialNumber=93905/CN=smspartnerintegration.csid.com
    /C=US/ST=Minnesota/L=Richfield/O=US Bank/OU=ISS/CN=prod-esd-identity.usbank.com
    /C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
    /OU=Domain Control Validated/CN=*.mylinkables.com
    /C=TW/ST=Taipei/L=Taipei/O=Mitake Information Corporation/OU=IT/CN=*.mitake.com.tw
    /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Organization Validation Secure Server CA
    /jurisdictionCountryName=US/jurisdictionStateOrProvinceName=Illinois/businessCategory=Private Organization/serialNumber=000622/C=US/ST=ILLINOIS/L=Chicago/O=Accenture LLP/CN=VA701051.dir.svc.accenture.com
    /C=US/ST=Connecticut/L=Lakeville/O=Salisbury Bank and Trust Company/CN=wtprod.salisburybank.com
    /C=US/ST=Missouri/L=Monett/O=JHA/OU=TS-Enterprise Shared Svcs Ops/CN=DLI-ProductionE3-MutualAuth.sts.jha-sys.com
    /DC=com/DC=jkhy/CN=ETSMMOMNPKICA02-CA
    /CN=ETSMMOMNPKIOR02-CA
    /C=US/ST=New Jersey/O=American Express Global Business Travel/CN=integration.amexgbt.com
    /CN=pieapi.points.com
    /C=US/ST=Texas/L=San Antonio/O=USAA Inc./OU=USAA/CN=amex-client.usaa.com
    /C=US/ST=North Carolina/L=Mooresville/O=Lowes Companies Inc/CN=datapower.lowes.com
    /jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/businessCategory=Private Organization/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=e3.gcpsalesforce.americanexpress.com
    /C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=GNS.PPP.E3.Service.aexp.com
    /O=American Express Company/CN=CertaaS OnDemand Issuing CA
    /O=American Express Company Inc./CN=AXP BlueCerts Ent Medium Policy CA II
    /O=American Express Company Inc./CN=Amex Internal Root CA
    /C=DE/ST=Berlin/L=Berlin/O=Market Logic Software AG/CN=amex-hr-auth.marketlogicsoftware.com
    /businessCategory=Private Organization/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/OU=Global Risk Technology/CN=winares.webservice.americanexpress.com
    /C=US/ST=Texas/L=Southlake/O=Sabre GLBL Inc./CN=amex-prod.tripcase.com
    /UID=A01410C00000170655B4FF800003722/CN=Michael Jensen/O=TravelPass Group LLC/C=US
    /C=US/O=IdenTrust/CN=TrustID CA A13
    /C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
    /C=US/ST=Wisconsin/L=Brookfield/O=Fiserv, Inc./CN=Outbound-SOA-BPS-mtls-Prod.fiservapps.com
    /C=US/postalCode=32204/ST=Florida/L=Jacksonville/street=601 Riverside Ave/O=Fidelity National Information Services, Inc./OU=Sedgwick Tech Services/OU=Hosted by Fidelity National Information Services/OU=Enterprise SSL Pro/CN=uscol2k3wzp01.ufac-claims.com
    /C=US/ST=Washington/L=Bellevue/O=Expedia, Inc/CN=app-ws-amex.orbitz.net
    /CN=*.mgage.com
    /C=CA/ST=Ontario/L=Kanata/O=epost/CN=client.epost.ca
    /CN=amexprod-sbdanbury.sbdanbury.com
    /businessCategory=Private Organization/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=vrp-transport.americanexpress.com
    /jurisdictionCountryName=US/jurisdictionStateOrProvinceName=Delaware/businessCategory=Private Organization/serialNumber=2187578/C=US/ST=Florida/L=Tampa/O=Syniverse Technologies, LLC/CN=proxy.gmip.syniverse.com
    /businessCategory=Private Organization/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/OU=GCST/CN=vpay.aexp.com
    /CN=*.quicksign.fr
    /CN=sraxp-ssl-prd.shoprunner.net
    /CN=api-prod.swifttrip.com
    /C=TW/ST=Taipei/O=Mitake Information Corporation/CN=aexp.mitake.com.tw
    /C=US/ST=Florida/L=Tampa/O=Syniverse Technologies, LLC/CN=*.mes.syniverse.com
    /jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/businessCategory=Private Organization/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=stg.americanexpress.com.sa
    /C=US/ST=Texas/L=Austin/O=Hill Country Class 3, LLC/CN=api.silencershop.com
    /jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/businessCategory=Private Organization/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=e3.gfessalesforce.americanexpress.com
    /OU=Domain Control Validated/CN=www.agency-technology.com
    /C=US/ST=Colorado/L=Centennial/O=Open Technology Solutions, LLC/CN=BELLCOprodSSL.open-techs.com
    /C=US/ST=North Carolina/L=Mooresville/O=Lowes Companies Inc/CN=*.lowes.com
    /C=US/ST=Georgia/L=Atlanta/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=Florida/O=Interactive Communications International Inc/businessCategory=Private Organization/serialNumber=P09000046480/CN=ECOMMERCE-AMEX.INCOMM.COM
   pany/CN=CoE.SFDC.Service.aexp.com
    /OU=Domain Control Validated/CN=uscoachwaysonline.com
    /CN=tb-prod.qionline.com
    /C=com
    /C=IL/L=Tel Aviv/O=Isracard LTD./CN=pwsp.isracard.co.il
    /CN=uscoachwaysonline.com
    /jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/businessCategory=Private Organization/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Ex8154/ST=Nebraska/L=Omaha/street=11808 Miracle Hills Dr/O=West Corporation/OU=IT/CN=amexe3transport.salelytics.com
    /C=US/ST=DE/L=Wilmington/O=Corporation Service Company/CN=Trusted Secure Certificate Authority 5
    /C=IL/L=Bnei Brak/O=Premium Express Ltd/CN=AmexWalletProdX1.americanexpress.co.il
    /jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New York/businessCategory=Private Organization/serialNumber=188055/C=US/ST=Arizona/L=Phoenix/O=American Express Company/CN=travelinsiders.americanexpress.com
    /C=US/ST=Connecticut/L=Shelton/OU=IT/O=LIFECARE, INC./CN=aesoa.lifecare.com
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 32108 bytes and written 425 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: CE4EB9B18991A621769D1A8F5040FD625829375990698AE792F07E21D02FF47E
        Session-ID-ctx: 
        Master-Key: 43C42CC32FDF088AE557EFF71252C610C08133D489B37932B75BDCD123CF3CC23418DDB674E776F62062D4DDF0927561
        TLS session ticket lifetime hint: 600 (seconds)
        TLS session ticket:
        0000 - 4c 35 fe 51 ae 40 f1 63-15 29 a3 95 a4 3c 52 99   L5.Q.@.c.)...<R.
        0010 - b2 88 81 81 37 29 ad fe-0f a8 ea 83 93 57 44 51   ....7).......WDQ
        0020 - 8d 3c e4 f2 e3 14 d9 e3-95 23 5f 1b 8f 39 62 58   .<.......#_..9bX
        0030 - cf e7 c9 b7 55 ba 06 97-11 b9 10 7c 3d e9 23 12   ....U......|=.#.
        0040 - 40 32 96 8d c6 41 7a 0d-10 24 e6 94 67 83 a5 ce   @2...Az..$..g...
        0050 - 89 2a b6 42 a9 44 d6 96-5d 5f 01 e2 01 b2 f7 99   .*.B.D..]_......
        0060 - 36 26 3d 46 8a 73 ac b2-68 35 3d 97 98 dd 1e fb   6&=F.s..h5=.....
        0070 - a7 b5 29 a9 a5 43 a8 6e-93 35 8e 36 af 48 f8 5e   ..)..C.n.5.6.H.^
        0080 - 0c 27 63 29 aa 4f a3 64-52 12 bb c6 82 3c 8e 51   .'c).O.dR....<.Q
        0090 - 98 70 82 a4 65 49 52 5d-63 2f cd d4 ff 55 23 73   .p..eIR]c/...U#s
        00a0 - ed 4a ba 85 e0 8a c5 5b-1d a1 67 04 d0 d6 71 b2   .J.....[..g...q.
    
        Start Time: 1686166751
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
    ---
    
    
    read:errno=0

If I only want to parse out the first certificate block that looks like:

-----BEGIN CERTIFICATE-----
MIIHEjCCBfqgAwIBAgIQCbC9MsGd9mdEtuXO/DGOAjANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjA3MDYwMDAwMDBa
Fw0yMzA3MDUyMzU5NTlaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25h
MRAwDgYDVQQHEwdQaG9lbml4MSEwHwYDVQQKExhBbWVyaWNhbiBFeHByZXNzIENv
bXBhbnkxJTAjBgNVBAMTHHNlcnZpY2VzLmFtZXJpY2FuZXhwcmVzcy5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLy6vuSG/Jlfb9jeOyz0bqE3Tf
OT2Zo+pkQrR7tY3RczxHXcDQdNMrwOsmWA7saCo1DFcd7PoGkH6sKqz2Kv0UMcsQ
AngMTEyRIZ34DZ45ZGPX5VIgpXskPSmQ3duRW7zl9oOZn5Jvd8A4xFRL3WSe9MeY
ZQSKHl7jeWkLZrlfhLTjHS6QRg5zHEcvS7AfpXWhydHDc3yIcmUY+l7wd0nlIRKz
hGTYX1Ba6rvgK4RcLgTvUz650h8XtDL8Vv6PIv4ImWN3F3Wp0ePR8vgjUut3LGSf
xqvpPoV15DNvUPXdInKU18K43crFevozOp5iZX5xQ5CfwUbao32eWlx8tvphAgMB
AAGjggO8MIIDuDAfBgNVHSMEGDAWgBS3a6LqqKqEjHnqtNoPmLLFlXa59DAdBgNV
HQ4EFgQU4BPjsflC74cIb9T0OQk7YTIgL6YwZgYDVR0RBF8wXYIcc2VydmljZXMu
YW1lcmljYW5leHByZXNzLmNvbYIec2VydmljZXNpbi5hbWVyaWNhbmV4cHJlc3Mu
Y29tgh1zZXJ2aWNlczIuYW1lcmljYW5leHByZXNzLmNvbTAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGPBgNVHR8EgYcwgYQw
QKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU1JTQVNI
QTI1NjIwMjBDQTEtNC5jcmwwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNv
bS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwPgYDVR0gBDcwNTAz
BgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20v
Q1BTMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln
aWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5j
b20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAkGA1UdEwQCMAAw
ggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB3AOg+0No+9QY1MudXKLyJa8kD08vR
EWvs62nhd31tBr1uAAABgdVNIEYAAAQDAEgwRgIhAIltUKNyg1kJ3+1xUC40HW6S
/otj5im5yVD6G1pSAyCjAiEA5bfLcR1k2DdoXXe/Tg1JSQG1sN9N0cZZk6CHkpg8
3TIAdwA1zxkbv7FsV78PrUxtQsu7ticgJlHqP+Eq76gDwzvWTAAAAYHVTR+zAAAE
AwBIMEYCIQDgzd/95jefN+UyGr04eZO/x1ttQ5xfami3esD95ZzXtgIhANT1C92j
KddTtXZxe+MU5kBBur5yxZzUmePpJOONcKaSAHUAs3N3B+GEUPhjhtYFqdwRCUp5
LbFnDAuH3PADDnk2pZoAAAGB1U0f3wAABAMARjBEAiAz2JIifsNXa2kiBASCHa7q
RvePn5Y8cTG/HYe99ZitvAIgUXIZhLpAqgiC8xB3xY1SV7I6BT5TdJlo+4vBPB/x
lrswDQYJKoZIhvcNAQELBQADggEBAHcsOzr4L4KogGkqIttiddki/hxfNwZzxhed
wjFPzPVw0R1RgboxKCJA0eMotzNSRhAvxC4kzdWFRnXlEYdaKyTCNgMv7/FOnPBk
Xea1RLvxveaxlmsXYtJXrBYsxG8XISIv+w9YBSpqtvAUdLEoBqg2uBFX5DdM2GqF
ZQZlXPMBm6Td3MKuwtqYgRo7HJ20jcL5oTIrqf1X48WR0TilE7Lm/0g+czqWXHGo
8OcBUSnJeliO2OhwgK4v8QSzryI0nB83cDDJ4ib7DTIKVi7419TEKkObAgt6YhAY
FusWc1ckH5Y78LmhZYRNoUFccKro5+b/cZvC7bD0yXRoyS6ajNk=
-----END CERTIFICATE-----

what linux command can I run to do so?

I have tried to do the following:

openssl s_client -showcerts -connect services.americanexpress.com:443 | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p'

however this command gives me all the certificate blocks, not the first one as desired. How can I fix the command to only output the first certificate block (including the begin / end markers) ?

user1068636
  • 1,871
  • 7
  • 33
  • 57
  • Also https://stackoverflow.com/questions/63072851/how-to-extract-only-the-first-instance-of-a-number-of-lines-between-two-strings – Marijn Jun 07 '23 at 20:09
  • And on [Unix.SE] various options like https://unix.stackexchange.com/questions/180663/how-to-select-first-occurrence-between-two-patterns-including-them, https://unix.stackexchange.com/questions/530834/how-to-select-first-occurrence-from-between-two-patterns-including-them – Marijn Jun 07 '23 at 20:11
  • good call @Marjin. I was able to figure it out using the links you posted How do I mark you answer as correct? – user1068636 Jun 07 '23 at 20:25
  • 1
    Not the question asked, but this particular problem could be solved by not using `-showcerts`, then `openssl s_client` only prints the PEM block for the first certificate (it does still print the other protocol and session info you might, or might not, want or need to remove). X != Y. – dave_thompson_085 Jun 07 '23 at 21:16

0 Answers0