How to publicly check SSL certificate update on the origin server which is masked by CDN certificate | Community
Skip to main content
Nitesh-Chavan
Nitesh-Chavan
Level 3
May 12, 2025
Question

How to publicly check SSL certificate update on the origin server which is masked by CDN certificate

  • May 12, 2025
  • 2 replies
  • 937 views

Hello People, 

Good Day!

I have a question with SSL certificate deployment in AEM origin servers. 

The certificates are renewed on Origin server and we need to validate this change publicly. We can check the same using web based tools as well as chrome's security option. 

But the website uses a CDN in between general public and Origin server so the Origin server SSL certificate get's masked by the CDN's SSL certificate and both platform has different certificate authorities. 

We have a option to check this implementation directly on the AEM dispatchers or using a Akamai Support team accessible tool, But I want to know if we have any web based tool or any command with which we can check the validity of the Origin server SSL certificate, if it is masked by the CDN. 

Any suggestions idea's will be appreciated. 

Thanks in Advance.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

AmitVishwakarma
Community Advisor
AmitVishwakarmaCommunity Advisor
Community Advisor
May 12, 2025

Hi @nitesh-chavan ,

1. Use curl with --resolve to Bypass the CDN

This method tricks curl into bypassing the CDN and directly hitting your origin server while preserving the correct Host header (which is key for TLS SNI-based certs).

Command:

curl -v https://yourdomain.com --resolve yourdomain.com:443:ORIGIN_IP

Example:

curl -v https://www.example.com --resolve www.example.com:443:192.0.2.10

This forces the request to go directly to the origin server at 192.0.2.10, but with the domain still set to www.example.com, so the SSL certificate returned is from the origin.

What to Look For:

Check the output lines:

* SSL certificate verify ok. * subject: CN=origin.example.com * start date: May 10 00:00:00 2025 GMT * expire date: Aug 10 23:59:59 2025 GMT * issuer: C=US; O=Let's Encrypt; CN=R3

This method works even behind Akamai or Cloudflare, as long as you know the origin IP (can be dispatcher, ELB, or publisher).

 

2. Use openssl s_client with SNI and IP

You can also verify using OpenSSL to directly connect to the origin:

openssl s_client -connect ORIGIN_IP:443 -servername yourdomain.com

Example:

openssl s_client -connect 192.0.2.10:443 -servername www.example.com

Look for:

subject=CN=... and issuer=... in the certificate section

Verify return code: 0 (ok) for successful verification

 

Regards,
Amit

    Nitesh-Chavan
    Nitesh-ChavanAuthor
    Level 3
    May 22, 2025

    Hi @amitvishwakarma 

     

    Good Day!

    I tried both of the methods, but unfortunately none of them works. 

    I am giving the exact commands I have used as per your suggestion.

    Please note I am masking the IP addresses for security reasons.


    Method 1 :- Curl Command

    curl -v https://www.averydennison.com --resolve www.averydennison.com:443:1*.**.1*8.*7* 

    The output I am getting after hitting the above command is as per below. 

    * Added www.averydennison.com:443:1*.**.1*8.*7* to DNS cache
    * Hostname www.averydennison.com was found in DNS cache
    * Trying 1*.**.1*8.*7*:443...
    * connect to 1*.**.1*8.*7*  port 443 from 0.0.0.0 port 50281 failed: Timed out
    * Failed to connect to www.averydennison.com port 443 after 21059 ms: Could not connect to server
    * closing connection #0
    curl: (28) Failed to connect to www.averydennison.com port 443 after 21059 ms: Could not connect to server



    Method 2 :- Openssl Command

    openssl s_client -connect 1*.**.1*8.*7* :443 -servername www.averydennison.com

     


    The output I am getting after hitting the above command is as per below. 


    'openssl' is not recognized as an internal or external command,
    operable program or batch file.

    joerghoh
    Adobe Employee
    joerghohAdobe Employee
    Adobe Employee
    May 18, 2025

    Is this AEM Cloud Service? In that case you cannot bypass the CDN from an external endpoint (for security reasons), and therefor you are unable to connect to the origin endpoints (which the CDN itself is connecting to).

      Supriya_Savre
      Supriya_Savre
      Level 4
      May 22, 2025

      Hi @nitesh-chavan,

      Did the shared solution help you out? Please let us know if you need more information. Otherwise kindly consider marking the most suitable answer as ‘correct’.

      If you've discovered a solution yourself, we would appreciate it if you could share it with the community.

       

        Terms & ConditionsAccessibility statement

        Loading footer...