Skip to content

Grabbing a copy of a server's TLS certificate

Sometimes you want to grab a copy of a server's TLS certificate - usually in order to perform Certificate Pinning. This is an additional security step used to provide additional assurance that the server you're talking to is the correct server (and is not, for example, an imposter using a bogus but legitimately issued certificate).

There are a number of different methods to do so, both from browsers and from the command line. This post documents a couple command line methods; a followup post will go into browser methods.

It should be noted - while we're on the topic - that Certificate Pinning is a controversial step to take, because it breaks things. In the ordinary course of events, when a certificate is replaced with a newer certificate, this change is invisible to the client, because both the old and the new certificate "check out" (in that they're issued by a valid CA, they're within valid dates, they're not on a CRL, etc. etc.). When you start pinning, you lose the ability to adapt when a certificate is replaced in the normal cause of business (expiration, compromise, addition of SAN names to the cert, etc. etc.). So if you're depending on access to a service, but trying to improve security by pinning, be aware that you may be shooting your availability/uptime in the foot, because when the certificate gets replaced by the server's owner your pinning will break the connectivity.

openssl

The openssl command line client can be used to connect to a TLS-enabled service, and prints out the server's certificate as part of the normal output (full example is here):

$ echo '' | openssl s_client -connect www.swynwyr.com:443 CONNECTED(00000003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 1 DV Server CA verify return:1 depth=0 CN = www.swynwyr.com verify return:1 --- Certificate chain 0 s:/CN=www.swynwyr.com i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA 1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIF7zCCBNegAwIBAgIQGAvqmJHQF769z7eawoarHTANBgkqhkiG9w0BAQsFADB4 MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0 ... 5EkC0EHGoL7q37yraOOWXTizcqZEAj+LqLoySYKbe8EjsJ2AzuAErkptftiH4dgL 2xMeFZ7k2r7UsCkooQGF/cwblNTTTLSxd8bxXDthmBUDfZ8= -----END CERTIFICATE----- subject=/CN=www.swynwyr.com issuer=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA ...

Now, I've shortened that output (marked by ...) but as you can see the server's certificate is their, in standard PEM x.509 format. You can grab that using an editor, or copy and paste, or you can just use sed to strip it out:
$ echo '' | openssl s_client -connect www.swynwyr.com:443 | sed -n '/BEGIN CERT/,/END CERT/p' > swynwyr.crt

And you can verify the contents of that PEM file using openssl again:

$ openssl x509 -text -noout -in swynwyr.crt Certificate: Data: Version: 3 (0x2) Serial Number: 18:0b:ea:98:91:d0:17:be:bd:cf:b7:9a:c2:86:ab:1d Signature Algorithm: sha256WithRSAEncryption Issuer: C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA Validity Not Before: May 13 13:11:40 2016 GMT Not After : May 13 13:11:40 2017 GMT Subject: CN=www.swynwyr.com Subject Public Key Info: ...

gnutls-cli



The gnutls-cli command can also be used to grab the cert (it is less commonly found than openssl, however).

$ echo '' | gnutls-cli --print-cert www.swynwyr.com Processed 173 CA certificate(s). Resolving 'www.swynwyr.com'... Connecting to '65.19.178.92:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=www.swynwyr.com', issuer `C=IL,O=StartCom Ltd.,OU=StartCom Certification Authority,CN=StartCom Class 1 DV Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-05-13 13:11:40 UTC', expires `2017-05-13 13:11:40 UTC', SHA-1 fingerprint `0a8eb691fca178dc0434d72ca7923d32de073cb4' Public Key ID: 0ff5395413c86c6d93f0b053d02fece99cc3b3a8 Public key's random art: +--[ RSA 2048]----+ | o+*=o | | =**. | | ..+o.o | | . o oo .| | S +. o | | o .o | | . + . | | .B | | E.. .+ | +-----------------+ -----BEGIN CERTIFICATE----- MIIF7zCCBNegAwIBAgIQGAvqmJHQF769z7eawoarHTANBgkqhkiG9w0BAQsFADB4 MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg ... 5EkC0EHGoL7q37yraOOWXTizcqZEAj+LqLoySYKbe8EjsJ2AzuAErkptftiH4dgL 2xMeFZ7k2r7UsCkooQGF/cwblNTTTLSxd8bxXDthmBUDfZ8= -----END CERTIFICATE----- - Certificate[1] info: ...

Unlike openssl, gnutls-cli will default to printing all certificates (the server certificate and any intermediate certificates the server provides) so a slightly different sed line is used to grab the server certificate (which comes first); if pulling out the certificate with an editor, just grab the first certificate ("Certificate[0]"):

$ echo '' | gnutls-cli --print-cert www.swynwyr.com | sed -n '/BEGIN CERT/,/END CERT/p;/END CERT/q' -----BEGIN CERTIFICATE----- MIIF7zCCBNegAwIBAgIQGAvqmJHQF769z7eawoarHTANBgkqhkiG9w0BAQsFADB4 MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg ... 5EkC0EHGoL7q37yraOOWXTizcqZEAj+LqLoySYKbe8EjsJ2AzuAErkptftiH4dgL 2xMeFZ7k2r7UsCkooQGF/cwblNTTTLSxd8bxXDthmBUDfZ8= -----END CERTIFICATE----- $

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

BBCode format allowed
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA