Get SSL server certificate from Server with Openssl s_client

Updated: Aug 24

An SSL/TLS certificate is a file installed on a website's origin server. It's simply a data file containing the public key and the identity of the website owner, along with other information. Without a server certificate, a website's traffic can't be encrypted with TLS.



SSL/TLS certificates are the most popular type of X.509 certificate. SSL/TLS certificates are issued to hostnames (machine names like ‘ABC-SERVER-02’ or domain names like google.com).


In this post, we will get the SSL/TLS server certificate from the server or website with OpenSSL command.


Get SSL server certificate from Server

We can get an interactive SSL connection to our server, using the openssl s_client command:


This keeps the interactive session open until we type Q (quit) and press <Enter>, or until EOF is encountered.


We can use the -showcerts option to get the complete certificate chain:



openssl s_client -showcerts -connect google.com:443
Certificate chain
 0 s:/CN=*.google.com
   i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
-----BEGIN CERTIFICATE-----
MIIOHDCCDQSgAwIBAgIRAK9pj+vPzS2JCgAAAAD26sQwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
-----END CERTIFICATE-----

 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
   i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
-----BEGIN CERTIFICATE-----
MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
-----END CERTIFICATE-----


We can also use the following command to save all the certificates to a file.


openssl s_client -showcerts -connect google.com:443 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' > certifs.pem


Download SSL server certificate from Server with SNI

If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) we will need to send the correct servername in the OpenSSL command in order to get the right certificate.


For example, howtouselinux.com shares multiple SSL hosts with other domains. So in order to get the certificate for our website, we need to use the following command.



openssl s_client -showcerts -servername www.howtouselinux.com -connect www.howtouselinux.com:443 </dev/null

openssl s_client -showcerts -servername www.howtouselinux.com -connect www.howtouselinux.com:443 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' > certifs.pem



Related:



49 views
屏幕快照 2021-08-08 下午5.16.32.png