How to save a remote server SSL certificate locally as a file

342

131

I need to download an SSL certificate of a remote server (not HTTPS, but the SSL handshake should be the same as Google Chrome / IE / wget and curl all give certificate check fail errors) and add the certificate as trusted in my laptops Windows' certificate store since I am not able to get my IT guys to give me the CA cert.

this is for office communications so I cannot really use the actual client to get the cert.

How do I do this, I have Windows 7 and a pile of Linuxes handy so any tool / scripting language is fine.

Kimvais

Posted 2010-01-18T07:43:44.083

Reputation: 3 809

To get the certificate of a mail server, see http://security.stackexchange.com/questions/70528/how-to-get-ssl-certificate-of-a-mail-server

– That Brazilian Guy – 2017-02-16T15:56:41.463

Most likely, your browser has a built-in feature for this -- maybe under "developer tools". – nobar – 2019-08-22T20:07:10.307

Answers

333

If you have access to OpenSSL, try

openssl s_client -connect {HOSTNAME}:{PORT} -showcerts

replacing {HOSTNAME} and {PORT} with whatever your values are.

gbroiles

Posted 2010-01-18T07:43:44.083

Reputation: 3 938

Is there a way to get this to work behind a proxy? It doesn't seem to honor the $https_proxy environment variable. – Michael Munsey – 2016-02-03T17:40:46.713

4443 is the default port for HTTPS. – Flimm – 2016-11-02T10:40:15.413

I needed -servername option to get the virtual host certificate. https://gist.github.com/Artistan/5219484efb2fe51cd064175b3d0d5971

– Artistan – 2018-01-25T16:00:38.723

For those trying this over IPv6, note that only OpenSSL 1.1.0 and newer support IPv6. See this LWN article for the backstory regarding this.

– tambre – 2018-08-24T11:51:55.287

Probably obvious, but you have to remove https:// from the hostname or you'll get getaddrinfo: nodename nor servname provided, or not known. The answer is correct, but when you get accustomed to copying/pasting into sites like sslchecker, it's habitual. – tresf – 2019-10-16T22:51:55.687

2I prefer this option as I don't have to open a GUI, and I can do it via SSH from our servers. – bramp – 2012-01-23T21:14:11.833

3Plus it works for protocols other than HTTP. – matt – 2013-12-03T15:49:44.427

15elec3647's solution fully automates extracting the PEM in a shell pipeline. – phs – 2013-12-10T07:05:53.803

264

A quick method to get the certificate pulled and downloaded would be to run the following command which pipes the output from the -showcerts to the x509 ssl command which just strips everything extraneous off. For example:

openssl s_client -showcerts -connect server.edu:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

To use the certificate, with wget,

wget https:/server.edu:443/somepage --ca-certificate=mycertfile.pem

elec3647

Posted 2010-01-18T07:43:44.083

Reputation: 2 748

5I tried this (on another website) - but was expected the full chain of certs: seems this only brought back the first in the chain - is that to be expected? – monojohnny – 2014-08-30T20:42:17.837

10That is not working for me: unable to load certificate 27262:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE – Janusz – 2014-09-09T09:05:32.270

4I agree with monojohnny, this doesn't give you the full chain. – Michael Munsey – 2014-12-02T23:51:58.300

4Late but @monojohnny: openssl s_client -showcerts displays all the certs in the received chain (if connection succeeds), but piping through openssl x509 takes only the first one and discards the rest. To get all of them instead use ...| sed -n '/^-----BEGIN CERT/,/^-----END CERT/p' or ...| awk '/^-----BEGIN CERT/,/^-----END CERT/' You can also use a slightly more complicated awk to put each cert in a separate file which makes them easier to use with openssl and some other tools. – dave_thompson_085 – 2016-08-11T21:13:43.023

To use the certificate, with wget, wget https:/server.edu:443/somepage --ca-certificate=mycertfile.pem – MUY Belgium – 2017-09-14T09:36:15.017

3using wget it seems to only save a index.html => HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html.1’ – OZZIE – 2017-10-25T07:53:28.187

..what is x509 ? – OZZIE – 2017-10-25T07:56:03.553

@dave_thompson_085 , any hint as to what that "more complicated awk" might be? – cowlinator – 2019-01-09T21:09:09.900

@cowlinator: there are variations but something like openssl s_client ..... -showcerts \ | awk '/-----BEGIN/{f="cert."(n++)} f{print>f} /-----END/{f=""}' see https://unix.stackexchange.com/questions/366898/generate-hpkp-fingerprints-for-all-certificate-chain

– dave_thompson_085 – 2019-01-10T04:37:30.790

While gbroiles' answer does allow you to see the certificate, this answer actually includes the part about saving it to a file. – bkidd – 2019-03-28T15:29:24.847

128

To be honest, I have never tried this before (never needed to) however, I have just tried in Firefox and it seems to work for saving:

Click on the SSL certificate icon at the top / Padlock at the bottom.
Click View Certificate
Click on the Details Tab
Chose which certificate you want from the hierarchy [not circled in picture]
Click Export

alt text

William Hilsum

Posted 2010-01-18T07:43:44.083

Reputation: 111 572

1Doesn't look like there's a way to do this in Chrome, right?! – fatuhoku – 2016-02-11T16:52:54.110

1That's a server certificate, not a client certificate. The main reason to export a client private key & certificate is to maintain a backup, or if you want to authenticate using another browser or computer. – gbroiles – 2010-08-17T07:23:14.957

@gbroiles - read the question, he used the wrong terminology, but this solved his problem. – William Hilsum – 2010-08-17T09:59:44.690

1right, and I answered your question - why would someone want to save a client certificate? "SSL client certificate" was your term, not his. – gbroiles – 2010-08-18T06:43:08.670

You can do it in Firefox atm. – OZZIE – 2017-10-25T07:49:05.943

@fatuhoku sure there is, see https://superuser.com/a/1160401/112204

– eis – 2018-02-23T05:02:51.803

There is no such thing as a “client part of a server certificate”. In the hierarchy presented you can chose if you want to see/export the main Certification Authority certificate, the sub-CA certificate, or the server certificate. (The chain may be longer, shorter or even incomplete in each case.) – I tried to download the CA certificate from my imap server this way. Failed, because Firefox and co. don’t allow connection on port 143. And to answer “Why?”: I wanted to import it in stupid Thunderbird, which can’t do it itself! (can only make an exception with the server cert, not the CA above). – Robert Siemer – 2012-05-11T09:31:06.383

Good to know - but for my curiosity, can you explain a little more what you are trying to accomplish? I have never needed to export a SSL client certificate and am very curious why you would actually have the need to do it... – William Hilsum – 2010-01-18T08:49:23.243

Exporting a certificate using the Chrome browser

Connect to the website using SSL (https://whatever)

~~2. Click on the lock symbol and then click on Details~~

Since Chrome version 56, you do the following: go to the Three Dots Menu -> More Tools -> Developer Tools, then click on the Security Tab. This will give you a Security Overview with a View certificate button.
Click on the View certificate button.

A modal window will open. It has two panes. The top one shows the trust hierarchy of the site's certificate (the last one listed), the intermediate certificate(s), and the root certificate (the topmost one).

The second, larger pane, shows the details of one of the certificates.

There may be zero or more intermediate certificates.

Note that the root certificate has a gold-bordered icon. The others have a blue border.

See the screen shot below.
To export a certificate:
1. First click on the certificate's icon in the trust hierarchy.
2. The certificate will be shown in the main part of the modal.
3. Click on the certificate's large icon in the main part of the modal. Drag the icon to your desktop. Chrome will then copy the certificate to your desktop.

Larry K

Posted 2010-01-18T07:43:44.083

Reputation: 739

1I had to drag the icon onto a text editor, desktop didn't work for me. – Cory Klein – 2017-05-04T19:23:07.550

2For Chrome on Windows, after you click 'View certificate' the modal is different than Mac. Click the Details tab and then Copy to File...Then choose the format and filename, which is straightforward. – PolyTekPatrick – 2017-08-30T12:06:39.487

1When I use Chrome v63 on Mac OS, the text file I get from dragging the certificate is human-readable, but not in any structured format that I can figure out how to convert into machine-readable form like X.509 .crt . – Jim DeLaHunt – 2017-12-19T02:06:21.620

no difference if opening from address bar or from this dev tab, and still can't download crt... – user25 – 2018-03-31T00:32:28.990

3Not working anymore on Chrome 72.0.3626.121 – A. D'Alfonso – 2019-03-13T10:11:59.087

On Mac it is still working with Chrome 72.0.3626.121 for me. – Larry K – 2019-03-13T21:43:04.840

on mac Google Chrome Version 74.0.3729.131 (Official Build) (64-bit) tested work – ikel – 2019-05-05T06:40:29.650

This is gbroiles' answer, but I wanted to point out that the cURL project has a page with a few more details on using openssl to save the remote server's SSL certificate:

openssl s_client -connect {HOSTNAME}:{PORT} | tee logfile

Type QUIT and press the Enter / Return key.
The certificate will be listed between "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.
If you want to see the data in the certificate, you can use:
```
openssl x509 -inform PEM -in certfile -text -out certdata
```
where certfile is the certificate extracted from logfile. Look in certdata.

Daniel Trebbien

Posted 2010-01-18T07:43:44.083

Reputation: 393

This worked for me. To be a bit more explicit, I edited logfile and trimmed everything that was outside of the BEGIN CERTIFICATE and END CERTIFICATE and saved the result as certfile.pem (Not sure if the extension was necessary). – Michael Welch – 2018-10-25T19:52:13.100

automated

-servername was required for me to get the right cert from the virtual host on our server.

openssl s_client -showcerts -connect host.name.com:443 -servername host.name.com </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > host.name.com.pem

you may also convert to a certificate for desktop

openssl x509 -inform PEM -in host.name.com.pem -outform DER -out host.name.com.cer

last part is to add it to your certs, not sure on windows
for mac keychain I used, should be similar...

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain host.name.com.cer

Artistan

Posted 2010-01-18T07:43:44.083

Reputation: 291

https://gist.github.com/Artistan/5219484efb2fe51cd064175b3d0d5971 – Artistan – 2018-01-25T15:59:47.690

Note that some applications have trouble with the System and SystemRoot keychains (Golang, I'm looking at YOU), so after installing and setting the trust for those levels, you may also want to copy it to your own user's login.keychain via the Keychain Access app, you can just browse to the certificate in System/SystemRoot and click and drag it to your login keychain. – dragon788 – 2018-11-20T22:45:37.680

1@dragon788 - my intent was to automate this with command line and this works for me. Please share here if you find a solution for login.keychain via CLI as well! thanks! – Artistan – 2018-11-21T17:17:39.107

judging from what I've read on the web I believe just omitting the -d from the command will apply only to the user keychain instead of the System keychain. – dragon788 – 2018-11-28T21:18:54.547

If you are also adding an intermediate certificate(s) you will want to use trustAsRoot instead of trustRoot in order for it to get correctly added. – dragon788 – 2018-11-29T18:20:52.717

This will give the results containing the certificates only

echo QUIT | \
openssl s_client -showcerts -connect hostname:port | \
awk '/-----BEGIN CERTIFICATE-----/ {p=1}; p; /-----END CERTIFICATE-----/ {p=0}' "

Archimedes Trajano

Posted 2010-01-18T07:43:44.083

Reputation: 879

Found a much easier way if on Windows. Tried Microsoft Edge (pre-chromium) and clicked on the lock in the address bar -> View certificate Dialog pops up with an "Export to File" button, which saves it as a .crt file.

Not much I'd use Edge for, but this was piece of cake.

Dale Wilbanks

Posted 2010-01-18T07:43:44.083

Reputation: 19