Expand my Community achievements bar.

Introducing Adobe LLM Optimizer: Own your brand’s presence in AI-Powered search and discovery
Learn More

How to publicly check SSL certificate update on the origin server which is masked by CDN certificate

Avatar

Level 3
Level 3
5/12/25 5:58:53 AM

Hello People, 

Good Day!

I have a question with SSL certificate deployment in AEM origin servers. 

The certificates are renewed on Origin server and we need to validate this change publicly. We can check the same using web based tools as well as chrome's security option. 

But the website uses a CDN in between general public and Origin server so the Origin server SSL certificate get's masked by the CDN's SSL certificate and both platform has different certificate authorities. 

We have a option to check this implementation directly on the AEM dispatchers or using a Akamai Support team accessible tool, But I want to know if we have any web based tool or any command with which we can check the validity of the Origin server SSL certificate, if it is masked by the CDN. 

Any suggestions idea's will be appreciated. 

Thanks in Advance.

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Dispatcher Experience Manager Experience Manager 6.5

Views

335

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
6 Replies

Avatar

Community Advisor
Community Advisor
5/12/25 11:11:52 AM

Hi @Nitesh-Chavan ,

1. Use curl with --resolve to Bypass the CDN

This method tricks curl into bypassing the CDN and directly hitting your origin server while preserving the correct Host header (which is key for TLS SNI-based certs).

Command:

curl -v https://yourdomain.com --resolve yourdomain.com:443:ORIGIN_IP

Example:

curl -v https://www.example.com --resolve www.example.com:443:192.0.2.10

This forces the request to go directly to the origin server at 192.0.2.10, but with the domain still set to www.example.com, so the SSL certificate returned is from the origin.

What to Look For:

Check the output lines:

*  SSL certificate verify ok.
*  subject: CN=origin.example.com
*  start date: May 10 00:00:00 2025 GMT
*  expire date: Aug 10 23:59:59 2025 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3

This method works even behind Akamai or Cloudflare, as long as you know the origin IP (can be dispatcher, ELB, or publisher).

 

2. Use openssl s_client with SNI and IP

You can also verify using OpenSSL to directly connect to the origin:

openssl s_client -connect ORIGIN_IP:443 -servername yourdomain.com

Example:

openssl s_client -connect 192.0.2.10:443 -servername www.example.com

Look for:

subject=CN=... and issuer=... in the certificate section

Verify return code: 0 (ok) for successful verification

 

Regards,
Amit

Views

298

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
5/22/25 8:23:51 AM
In response to AmitVishwakarma

Hi @AmitVishwakarma 

 

Good Day!

I tried both of the methods, but unfortunately none of them works. 

I am giving the exact commands I have used as per your suggestion.

Please note I am masking the IP addresses for security reasons.


Method 1 :- Curl Command

curl -v https://www.averydennison.com --resolve www.averydennison.com:443:1*.**.1*8.*7* 

The output I am getting after hitting the above command is as per below. 

* Added www.averydennison.com:443:1*.**.1*8.*7* to DNS cache
* Hostname www.averydennison.com was found in DNS cache
* Trying 1*.**.1*8.*7*:443...
* connect to 1*.**.1*8.*7*  port 443 from 0.0.0.0 port 50281 failed: Timed out
* Failed to connect to www.averydennison.com port 443 after 21059 ms: Could not connect to server
* closing connection #0
curl: (28) Failed to connect to www.averydennison.com port 443 after 21059 ms: Could not connect to server



Method 2 :- Openssl Command

openssl s_client -connect 1*.**.1*8.*7* :443 -servername www.averydennison.com

 


The output I am getting after hitting the above command is as per below. 


'openssl' is not recognized as an internal or external command,
operable program or batch file.

Views

186

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
5/18/25 10:19:58 AM

Is this AEM Cloud Service? In that case you cannot bypass the CDN from an external endpoint (for security reasons), and therefor you are unable to connect to the origin endpoints (which the CDN itself is connecting to).

Views

237

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
5/22/25 7:30:27 AM
In response to Jörg_Hoh

Hi @Nitesh-Chavan,

Did the shared solution help you out? Please let us know if you need more information. Otherwise kindly consider marking the most suitable answer as ‘correct’.

If you've discovered a solution yourself, we would appreciate it if you could share it with the community.

 

Views

194

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
5/22/25 8:26:52 AM
In response to Jörg_Hoh

We are using AEM as a Managed Service (AMS) with Akamai as a CDN.

Views

183

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
6/10/25 3:01:37 AM
In response to Nitesh-Chavan

@Jörg_Hoh Could you please further help @Nitesh-Chavan with the added information to the query?

Views

50

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Enabling Basic Authentication on AEM Publish for a Public URL for Lower Environments

Views

8

Likes

0

Replies

0
ACS Commons is not appearing in tools.

Views

53

Like

1

Replies

1
Is Cypress the Right Choice for Dispatcher-Level UI Testing in AEM

Views

60

Likes

0

Replies

1
I have requirement in AEM React SPA project, I have to display image and metadata on page

Views

64

Likes

0

Replies

2
Dispatcher configuration with virtualhost issue on port appending

Views

134

Likes

0

Replies

5