I am trying to get the certificate of a remote server, which I can then use to add to my keystore and use within my Java application.
A senior dev (who is on holidays 🙁 ) informed me I can run this:
openssl s_client -connect host.host:9999
to get a raw certificate dumped out, which I can then copy and export. I receive the following output:
depth=1 /C=NZ/ST=Test State or Province/O=Organization Name/OU=Organizational Unit Name/CN=Test CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
23177:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
23177:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
I have also tried it with this option:
-showcerts
and this one (running on Debian mind you):
-CApath /etc/ssl/certs/
But I get the same error.
This source says I can use that CApath flag but it doesn't seem to help. I tried multiple paths to no avail.
Please let me know where I'm going wrong.
Best Answer
With SNI
If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) you will need to send the correct hostname in order to get the right certificate.
Without SNI
If the remote server is not using SNI, then you can skip
-servername
parameter:To view the full details of a site's cert you can use this chain of commands as well: