Tuesday, August 16. 2016
Sometimes you want to grab a copy of a server's TLS certificate - usually in order to perform Certificate Pinning. This is an additional security step used to provide additional assurance that the server you're talking to is the correct server (and is not, for example, an imposter using a bogus but legitimately issued certificate).
There are a number of different methods to do so, both from browsers and from the command line. This post documents a couple command line methods; a followup post will go into browser methods.
It should be noted - while we're on the topic - that Certificate Pinning is a controversial step to take, because it breaks things. In the ordinary course of events, when a certificate is replaced with a newer certificate, this change is invisible to the client, because both the old and the new certificate "check out" (in that they're issued by a valid CA, they're within valid dates, they're not on a CRL, etc. etc.). When you start pinning, you lose the ability to adapt when a certificate is replaced in the normal cause of business (expiration, compromise, addition of SAN names to the cert, etc. etc.). So if you're depending on access to a service, but trying to improve security by pinning, be aware that you may be shooting your availability/uptime in the foot, because when the certificate gets replaced by the server's owner your pinning will break the connectivity.
opensslThe openssl command line client can be used to connect to a TLS-enabled service, and prints out the server's certificate as part of the normal output (full example is here):
Now, I've shortened that output (marked by ...) but as you can see the server's certificate is their, in standard PEM x.509 format. You can grab that using an editor, or copy and paste, or you can just use sed to strip it out:
And you can verify the contents of that PEM file using openssl again:
The gnutls-cli command can also be used to grab the cert (it is less commonly found than openssl, however).
Unlike openssl, gnutls-cli will default to printing all certificates (the server certificate and any intermediate certificates the server provides) so a slightly different sed line is used to grab the server certificate (which comes first); if pulling out the certificate with an editor, just grab the first certificate ("Certificate"):
Display comments as (Linear | Threaded)