Home / server / Questions / 139728
Accepted
RainDoctor
Asked: 2010-05-08 13:01:48 +0800 CST

how to download the ssl certificate from a website?

  • 772

I want to download the ssl certificate from, say https://www.google.com, using wget or any other commands. Any unix command line? wget or openssl?

ssl ssl-certificate openssl wget

6 Answers

  1. In order to download the certificate, you need to use the client built into openssl like so:

    echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

    That will save the certificate to /tmp/$SERVERNAME.cert.

    The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

    You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

    echo -n gives a response to the server, so that the connection is released

    openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

    • 351
  2. Best Answer

    I found the answer. Openssl provides it.

    openssl s_client -connect ${REMHOST}:${REMPORT}

    • 78

  3. The GNUTLS client tool, gnutls-cli, can also make this easy:

    gnutls-cli --print-cert www.example.com \
        < /dev/null \
        > www.example.com.certs

    The program is designed to provide an interactive client to the site, so you need to give it empty input (in this example, from /dev/null) to end the interactive session.

    • 30 
  4. true | openssl s_client -connect google.com:443 2>/dev/null | openssl x509

    this mode of openssl expects stdin, so we provide it via true |, this connects to the server specified in the -connect parameter. 2>/dev/null silences errors (optional), we can pass the whole output into the x509 parser, specifying /dev/stdin to use the shell pipe as the input file. And that will output just the -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- portion of the s_client output. You can redirect that to a file by adding > google.com.pem to the end of the command.

    As best I can tell, this does not verify the certificate chain, it only can tell you what ssl identity the end server provides.

    • 17

  5. based on @bignose answer, here is a self-contained version that fits well in e.g. a chef recipe:

    sudo apt-get install gnutls-bin 
gnutls-cli --print-cert myserver.com </dev/null| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myserver.crt
sudo cp myserver.crt /usr/local/share/ca-certificates/myserver.crt
sudo update-ca-certificates
    • 11

  6. Alternative syntax using Ex and process substitution:

    ex +'/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect example.com:443) -scq > file.crt
    • 2