Linux – Using openssl to get the certificate from a server

certificatelinuxopensslSecurityssl-certificate

I am trying to get the certificate of a remote server, which I can then use to add to my keystore and use within my Java application.

A senior dev (who is on holidays 🙁 ) informed me I can run this:

openssl s_client -connect host.host:9999

to get a raw certificate dumped out, which I can then copy and export. I receive the following output:

depth=1 /C=NZ/ST=Test State or Province/O=Organization Name/OU=Organizational Unit Name/CN=Test CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
23177:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
23177:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

I have also tried it with this option:

-showcerts

and this one (running on Debian mind you):

-CApath /etc/ssl/certs/

But I get the same error.

This source says I can use that CApath flag but it doesn't seem to help. I tried multiple paths to no avail.

Please let me know where I'm going wrong.

Best Answer

With SNI

If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) you will need to send the correct hostname in order to get the right certificate.

openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null

Without SNI

If the remote server is not using SNI, then you can skip -servername parameter:

openssl s_client -showcerts -connect www.example.com:443 </dev/null


To view the full details of a site's cert you can use this chain of commands as well:

$ echo | \
    openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \
    openssl x509 -text