Download self-signed server certicate

Summary
I need to download a self-signed certificate from a server, to create a .JKS-file to use as truststore in an application. How can I do that from a Red Hat server?

What I have tried
I have tried using openssl to get the certificate:

echo -n | openssl s_client -connect hostname.example.com:20000 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > downloadedcerts.cert

This fails with the following message:

verify error:num=19:self signed certificate in certificate chain

Indeed, the root certificate of this server is self signed, and not from a CA. I'm fine with this - the root cert belongs to a government agency in my country - but openssl won't connect to download the cert.

It would be easy to load the URL in Firefox, manually ignore the certificate error and download the cert, but I can't connect to the server from my desktop machine because of firewalls.

Any help would be much appreciated :)

MW.

Posted 2014-07-11T12:51:08.407

Reputation: 123

Answers

verify error:num=19:self signed certificate in certificate chain

Indeed, the root certificate of this server is self signed, and not from a CA.

It is a CA, its just not trusted ;)

Unlike browsers (which trust nearly everything), OpenSSL trusts nothing (you have to tell it what to trust).

Download your country's CA certificate (its usually not sent in the chain). Its not sent in the chain because its a trust point; you have to already have it and trust it.

You can usually find the CA certificate online. For example, here is DigiCert's, here is Verisign, etc. Verify the certificate you download. Verification is the tricky part - browsers solve it by carrying around their own bundled of already verified certifcates.

Place your country's CA certificate in its own file. Then, use openssl s_client -connect hostname.example.com:20000 -CAfile my-country-ca.pem. s_client will complete with Verify OK (0) or similar.

jww

Posted 2014-07-11T12:51:08.407

Reputation: 1

I would recommend creating your own Certificate Authority [EDIT - not what was wanted. see next paragraph]. It is kind of a PITA and when you research how to do it seems harder than it really is. You just make up a fictitious company whose certificate you will put in your Trusted Root of the clients and it will be able to sign the certificate(s) rather than using self-signed certificates.

I found an explanation in the answer by Bruno to this question here: https://stackoverflow.com/questions/4103472/ssl-handshake-fails-with-a-verisign-chain-certificate-that-contains-two-ca-s

I hadn't been thinking of a root certificate as being self-signed but it makes good sense. So, if I'm understanding correctly, you are getting the certificate you want (the first one), but also everything else in the certificate chain as well. The root certificate is the one causing the message.

ZuberFowler

Posted 2014-07-11T12:51:08.407

Reputation: 166

I'm not creating the certificate myself. It is created by a government agency (which also runs the server I'm trying to connect to) so I really have to work with the existing certificate. – MW. – 2014-07-12T14:15:54.763

Sorry for not getting that when I "answered" the question. I'll try again with an edit. – ZuberFowler – 2014-07-12T23:16:25.933

"I hadn't been thinking of a root certificate as being self-signed" - All public CA roots are self signed. That means both the Subject and Issuer are the same. Most (many?) public CAs are marked as CA=true,critical. – jww – 2014-07-13T19:21:38.653