Using openssl to get the certificate from a server

Question

I am trying to get the certificate of a remote server  which I can then use to add to my keystore and use within my java application   A senior dev  who is on holidays       informed me I can run this   openssl s client -connect host host 9999   To get a raw certificate dumped out  which I can then copy and export  I receive the following output   depth 1  C NZ ST Test State or Province O Organization Name OU Organizational Unit Name CN Test CA verify error num 19 self signed certificate in certificate chain verify return 0 23177 error 14094410 SSL routines SSL3 READ BYTES sslv3 alert handshake failure s3 pkt c 1086 SSL alert number 40 23177 error 140790E5 SSL routines SSL23 WRITE ssl handshake failure s23 lib c 188    I have also tried with this option  -showcerts    and this one  running on debian mind you   -CApath  etc ssl certs     But get the same error   This source says I can use that CApath flag but it doesn t seem to help  I tried multiple paths to no avail   Please let me know where I m going wrong

User · Answer

With SNI

If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) you will need to send the correct hostname in order to get the right certificate.

openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null

Without SNI

If the remote server is not using SNI, then you can skip -servername parameter:

openssl s_client -showcerts -connect www.example.com:443 </dev/null

To view the full details of a site's cert you can use this chain of commands as well:

$ echo | \
    openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \
    openssl x509 -text

User · Answer

The easiest command line for this  which includes the PEM output to add it to the keystore  as well as a human readable output and also supports SNI  which is important if you are working with an HTTP server is   openssl s client -servername example com -connect example com 443        lt  dev null 2 gt  dev null   openssl x509 -text   The -servername option is to enable SNI support and the openssl x509 -text prints the certificate in human readable format

User · Answer

A one-liner to extract the certificate from a remote server in PEM format  this time using sed   openssl s client -connect www google com 443 2 gt  dev null  lt  dev null    sed -ne   -BEGIN CERTIFICATE-   -END CERTIFICATE- p

User · Answer

While I agree with Ari s answer  and upvoted it     I needed to do an extra step to get it to work with Java on Windows  where it needed to be deployed    openssl s client -showcerts -connect www example com 443  lt   dev null   openssl x509 -outform DER  gt  derp der   Before adding the openssl x509 -outform DER conversion  I was getting an error from keytool on Windows complaining about the certificate s format   Importing the  der file worked fine

User · Answer

to print only the certificate chain and not the server s certificate     MYHOST myhost com   MYPORT 443   openssl s client -connect   MYHOST    MYPORT  -showcerts 2 gt  dev null  lt  dev null   awk          MYHOST      -----END CERTIFICATE-----  next   -----BEGIN   -----END CERTIFICATE-----  print     to update CA trust on CentOS RHEL 6 7      update-ca-trust enable   openssl s client -connect   MYHOST    MYPORT  -showcerts 2 gt  dev null  lt  dev null   awk          MYHOST      -----END CERTIFICATE-----  next   -----BEGIN   -----END CERTIFICATE-----  print    gt  etc pki ca-trust source anchors myca cert   update-ca-trust extract   on CentOS RHEL 5     openssl s client -connect   MYHOST    MYPORT  -showcerts 2 gt  dev null  lt  dev null   awk          MYHOST      -----END CERTIFICATE-----  next   -----BEGIN   -----END CERTIFICATE-----  print    gt  gt  etc pki tls certs ca-bundle crt

User · Answer

If your server is an email server  MS Exchange or Zimbra  maybe you need to add the starttls and smtp flags   openssl s client -starttls smtp -connect HOST EMAIL SECURE PORT 2 gt  dev null  lt  dev null    sed -ne   -BEGIN CERTIFICATE-   -END CERTIFICATE- p   gt  CERTIFICATE NAME pem  Where     HOST EMAIL is the server domain  for example  mail-server com  SECURE PORT is the communication port  for example  587 or 465 CERTIFICATE NAME output s filename  BASE 64 PEM Format

User · Answer

You can get and store the server root certificate using next bash script   CERTS   echo -n   openssl s client -connect  HOST NAME  PORT -showcerts   sed -ne   -BEGIN CERTIFICATE-   -END CERTIFICATE- p   echo   CERTS    awk -v RS  -----BEGIN CERTIFICATE-----   NR  gt  1   printf RS  0  gt     SERVER ROOT CERTIFICATE    close    SERVER ROOT CERTIFICATE         Just overwrite required variables

User · Answer

For the benefit of others like me who tried to follow the good advice here when accessing AWS CloudFront but failed  the trick is to add -servername domain name     Source  https   serverfault com a 780450 8972

User · Answer

It turns out there is more complexity here  I needed to provide many more details to get this rolling  I think its something to do with the fact that its a connection that needs client authentication  and the hankshake needed more info to continue to the stage where the certificates were dumped   Here is my working command   openssl s client -connect host port -key our private key pem -showcerts                    -cert our server-signed cert pem   Hopefully this is a nudge in the right direction for anyone who could do with some more info

User · Answer

To get the certificate of remote server you can use openssl tool and you can find it between BEGIN CERTIFICATE and END CERTIFICATE which you need to copy and paste into your certificate file  CRT    Here is the command demonstrating it   ex    BEGIN CERTIFICATE   END CERTIFICATE p   lt  echo   openssl s client -showcerts -connect example com 443  -scq  gt  file crt   To return all certificates from the chain  just add g  global  like   ex   g BEGIN CERTIFICATE   END CERTIFICATE p   lt  echo   openssl s client -showcerts -connect example com 443  -scq   Then you can simply import your certificate file  file crt  into your keychain and make it trusted  so Java shouldn t complain   On OS X you can double-click on the file or drag and drop in your Keychain Access  so it ll appear in login Certificates  Then double-click on the imported certificated and make it Always Trust for SSL   On CentOS 5 you can append them into  etc pki tls certs ca-bundle crt file  and run  sudo update-ca-trust force-enable   or in CentOS 6 copy them into  etc pki ca-trust source anchors  and run sudo update-ca-trust extract   In Ubuntu  copy them into  usr local share ca-certificates and run sudo update-ca-certificates

User · Answer

HOST gmail-pop l google com PORT 995  openssl s client -servername  HOST -connect  HOST  PORT  lt   dev null 2 gt  dev null   openssl x509 -outform pem

[linux] Using openssl to get the certificate from a server

With SNI

Without SNI

Examples related to linux

Examples related to security

Examples related to certificate

Examples related to openssl

Examples related to ssl-certificate