When using Kaspersky Anti-Virus Personal Root Certificate, can you view the website's certificate?

firefox ssl anti-virus certificate kaspersky

5,178

When using Kaspersky Anti-Virus Personal Root Certificate, can you view the website's certificate?
... is it possible to view the SSL certificate for the website itself?

You should be able to, but you have to do it outside the browser. For example, here's Google using OpenSSL's s_client:

$ openssl s_client -connect www.google.com:443 -tls1 -servername www.google.com | openssl x509 -text -noout

...
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3497310530607939837 (0x3088f165e61e80fd)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Validity
            Not Before: Feb 11 11:17:05 2016 GMT
            Not After : May 11 00:00:00 2016 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d4:90:20:6e:c9:e9:f7:1b:ce:57:59:b3:ee:45:
                    13:e1:e0:d1:7d:68:b2:05:69:c0:e1:0d:77:2c:89:
                    10:ea:b4:0a:d9:d5:5b:8d:a9:ac:9a:98:2b:b6:33:
                    1d:ba:53:8b:e0:1a:df:d9:01:fe:83:24:3f:6d:af:
                    0a:4b:c5:e0:de:75:7e:76:81:19:e0:c4:a8:ae:1f:
                    09:21:40:31:43:a7:52:d7:53:9c:f2:69:cc:2f:78:
                    ef:39:d8:ad:d4:b2:4b:7d:8c:c5:70:8b:90:c7:48:
                    f9:57:c2:69:85:b9:ba:4b:cb:17:f4:b1:1a:a9:e6:
                    50:60:ca:78:5a:7a:16:91:44:a9:56:4e:59:0f:93:
                    0d:23:a1:53:3c:5b:47:38:9d:76:ff:f7:b2:c2:ce:
                    fd:09:d7:49:48:5e:39:fb:71:e8:b8:90:59:44:ed:
                    85:14:15:a1:4b:67:a7:66:40:3b:04:58:0a:6c:06:
                    aa:df:71:f2:02:74:82:14:ad:4c:98:5a:09:53:82:
                    1e:40:2b:36:78:7e:31:8e:36:20:c5:c8:59:9a:dd:
                    8b:8e:24:2b:9e:8d:4f:94:d6:6b:0d:a2:7e:5e:a4:
                    7d:14:ac:c0:8a:17:5c:7a:c8:00:46:9c:24:75:50:
                    a5:be:ec:51:d1:60:99:2f:6d:94:17:77:ce:63:09:
                    01:29
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:www.google.com
            Authority Information Access: 
                CA Issuers - URI:http://pki.google.com/GIAG2.crt
                OCSP - URI:http://clients1.google.com/ocsp

            X509v3 Subject Key Identifier: 
                4F:C7:02:93:EC:46:43:9C:34:43:03:3E:CB:18:CB:4E:7A:B4:0E:DE
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.11129.2.5.1
                Policy: 2.23.140.1.2.2

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://pki.google.com/GIAG2.crl

    Signature Algorithm: sha256WithRSAEncryption
         19:5a:93:63:e9:3b:8a:f2:80:01:70:a9:02:8a:51:84:23:3b:
         94:77:9b:4a:e1:38:d4:a1:8c:51:1d:67:79:a1:03:b5:1f:0d:
         c7:77:d8:52:64:92:55:77:c0:d9:0e:1c:6a:ff:f2:a9:56:04:
         66:90:66:ca:e1:21:4a:45:cd:06:09:64:23:58:75:3f:84:23:
         7b:d1:c9:bb:d8:b2:d0:4f:f2:4a:09:9d:6e:cf:14:2a:8b:8e:
         52:f7:a6:8b:16:14:bc:13:71:e7:b0:50:e8:a0:04:c0:c7:c6:
         89:13:67:19:a0:41:da:99:83:48:bb:ed:e3:f5:b4:29:bf:bc:
         2b:95:2c:3b:54:ca:cf:5a:df:00:51:47:2d:cd:5a:7d:fb:e0:
         15:bf:34:9e:a0:8b:ff:ba:80:57:e0:d3:c5:71:12:df:48:49:
         98:13:d1:95:ef:68:b4:f4:50:77:0e:51:3e:98:e5:8f:31:57:
         a4:6a:8f:73:0b:9d:b4:ec:db:4d:04:c2:6a:ad:ec:5c:ac:02:
         3a:0a:c1:96:f3:2a:53:02:f3:7a:19:94:17:80:ff:0f:4e:5d:
         19:f4:b9:18:ba:89:dd:62:5d:01:39:da:4a:28:f8:32:39:84:
         69:ef:5d:3b:5c:d0:9d:38:10:30:93:7b:2c:ee:0b:a2:9f:e5:
         17:0c:cf:81

You can clear the verify error:num=20:unable to get local issuer certificate issue using the -CAfile option:

$ openssl s_client -connect www.google.com:443 -tls1 -servername www.google.com -CAfile GeoTrust-Root.pem

5,178

Author by

user3169

Updated on September 18, 2022

Comments

user3169 over 1 year

Use of Kaspersky Anti-Virus Personal Root Certificate with Firefox is discussed in this post, Which CA issued certificate for https://www.google.com.

My question is (other than for google.com) is it possible to view the SSL certificate for the website itself?
I don't want to disable this function, but as far as I can tell you can only view the Kaspersky Root Certificate.
- Ramhound about 8 years
  
  No; Because the certificate used isn't the real certificate. It is the Kaspersky certificate. "I don't want to disable this function, but as far as I can tell you can only view the Kaspersky Root Certificate." - You should it breaks HTTPS.
- user3169 about 8 years
  
  So only the Kaspersky certificate is used between my browser and the target website?
- Ramhound about 8 years
  
  Correct; Hence the reason the feature breaks HTTPS.