429

I need to download an SSL certificate of a remote server (not HTTPS, but the SSL handshake should be the same as Google Chrome / IE / wget and curl all give certificate check fail errors) and add the certificate as trusted in my laptops Windows' certificate store since I am not able to get my IT guys to give me the CA cert.

this is for office communications so I cannot really use the actual client to get the cert.

How do I do this, I have Windows 7 and a pile of Linuxes handy so any tool / scripting language is fine.

Journeyman Geek
  • 127,463
  • 52
  • 260
  • 430
Kimvais
  • 4,698
  • 3
  • 22
  • 19

9 Answers9

418

If you have access to OpenSSL, try 

openssl s_client -connect {HOSTNAME}:{PORT} -showcerts

replacing {HOSTNAME} and {PORT} with whatever your values are.

Gaff
  • 18,569
  • 15
  • 57
  • 68
gbroiles
  • 4,818
  • 1
  • 18
  • 9
  • 2
    I prefer this option as I don't have to open a GUI, and I can do it via SSH from our servers. – bramp Jan 23 '12 at 21:14
  • 4
    Plus it works for protocols other than HTTP. – matt Dec 03 '13 at 15:49
  • 22
    [elec3647's solution](http://superuser.com/a/641396/96477) fully automates extracting the PEM in a shell pipeline. – phs Dec 10 '13 at 07:05
  • Is there a way to get this to work behind a proxy? It doesn't seem to honor the $https_proxy environment variable. – Michael Munsey Feb 03 '16 at 17:40
  • 5
    443 is the default port for HTTPS. – Flimm Nov 02 '16 at 10:40
  • 8
    I needed `-servername` option to get the virtual host certificate. https://gist.github.com/Artistan/5219484efb2fe51cd064175b3d0d5971 – Artistan Jan 25 '18 at 16:00
  • For those trying this over IPv6, note that only OpenSSL 1.1.0 and newer support IPv6. See [this LWN article](https://lwn.net/Articles/486369/) for the backstory regarding this. – tambre Aug 24 '18 at 11:51
  • Probably obvious, but you have to remove `https://` from the hostname or you'll get `getaddrinfo: nodename nor servname provided, or not known`. The answer is correct, but when you get accustomed to copying/pasting into sites like sslchecker, it's habitual. – tresf Oct 16 '19 at 22:51
  • ultra mega kill – Alex Jun 19 '23 at 23:58
356

A quick method to get the certificate pulled and downloaded would be to run the following command which pipes the output from the -showcerts to the x509 ssl command which just strips everything extraneous off. For example:

openssl s_client -showcerts -connect server.edu:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

To use the certificate, with wget,

wget https:/server.edu:443/somepage --ca-certificate=mycertfile.pem
MUY Belgium
  • 353
  • 1
  • 4
  • 17
elec3647
  • 3,676
  • 1
  • 12
  • 4
  • 8
    I tried this (on another website) - but was expected the full chain of certs: seems this only brought back the first in the chain - is that to be expected? – monojohnny Aug 30 '14 at 20:42
  • 14
    That is not working for me: unable to load certificate 27262:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE – Janusz Sep 09 '14 at 09:05
  • 4
    I agree with monojohnny, this doesn't give you the full chain. – Michael Munsey Dec 02 '14 at 23:51
  • 14
    Late but @monojohnny: `openssl s_client -showcerts` displays all the certs in the received chain (if connection succeeds), but piping through `openssl x509` takes only the first one and discards the rest. To get all of them instead use `...| sed -n '/^-----BEGIN CERT/,/^-----END CERT/p'` or `...| awk '/^-----BEGIN CERT/,/^-----END CERT/'` You can also use a slightly more complicated `awk` to put each cert in a separate file which makes them easier to use with `openssl` and some other tools. – dave_thompson_085 Aug 11 '16 at 21:13
  • To use the certificate, with wget, `wget https:/server.edu:443/somepage --ca-certificate=mycertfile.pem` – MUY Belgium Sep 14 '17 at 09:36
  • 3
    using wget it seems to only save a `index.html` => `HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html.1’` – OZZIE Oct 25 '17 at 07:53
  • ..what is x509 ? – OZZIE Oct 25 '17 at 07:56
  • @dave_thompson_085 , any hint as to what that "more complicated `awk`" might be? – cowlinator Jan 09 '19 at 21:09
  • 2
    @cowlinator: there are variations but something like `openssl s_client ..... -showcerts \ | awk '/-----BEGIN/{f="cert."(n++)} f{print>f} /-----END/{f=""}'` see https://unix.stackexchange.com/questions/366898/generate-hpkp-fingerprints-for-all-certificate-chain – dave_thompson_085 Jan 10 '19 at 04:37
  • While gbroiles' answer does allow you to see the certificate, this answer actually includes the part about saving it to a file. – bkidd Mar 28 '19 at 15:29
137

To be honest, I have never tried this before (never needed to) however, I have just tried in Firefox and it seems to work for saving:

  1. Click on the SSL certificate icon at the top / Padlock at the bottom.
  2. Click View Certificate
  3. Click on the Details Tab
  4. Chose which certificate you want from the hierarchy [not circled in picture]
  5. Click Export

alt text

Robert Siemer
  • 543
  • 4
  • 13
William Hilsum
  • 116,650
  • 19
  • 182
  • 266
  • Good to know - but for my curiosity, can you explain a little more what you are trying to accomplish? I have never needed to export a SSL client certificate and am very curious why you would actually have the need to do it... – William Hilsum Jan 18 '10 at 08:49
  • 1
    That's a server certificate, not a client certificate. The main reason to export a client private key & certificate is to maintain a backup, or if you want to authenticate using another browser or computer. – gbroiles Aug 17 '10 at 07:23
  • @gbroiles - read the question, he used the wrong terminology, but this solved his problem. – William Hilsum Aug 17 '10 at 09:59
  • 1
    right, and I answered your question - why would someone want to save a client certificate? "SSL client certificate" was your term, not his. – gbroiles Aug 18 '10 at 06:43
  • There is no such thing as a “client part of a server certificate”. In the hierarchy presented you can chose if you want to see/export the main Certification Authority certificate, the sub-CA certificate, or the server certificate. (The chain may be longer, shorter or even incomplete in each case.) – I tried to download the CA certificate from my imap server this way. Failed, because Firefox and co. don’t allow connection on port 143. And to answer “Why?”: I wanted to import it in stupid Thunderbird, which can’t do it itself! (can only make an exception with the server cert, not the CA above). – Robert Siemer May 11 '12 at 09:31
  • 1
    Doesn't look like there's a way to do this in Chrome, right?! – fatuhoku Feb 11 '16 at 16:52
  • You can do it in Firefox atm. – OZZIE Oct 25 '17 at 07:49
  • @fatuhoku sure there is, see https://superuser.com/a/1160401/112204 – eis Feb 23 '18 at 05:02
  • 5
    This is no longer possible in modern Firefox. Those goofballs wanted to "modernize" the cert viewer and took away the ability to export it in the process :( – Coderer Apr 19 '21 at 10:20
64

Exporting a certificate using the Chrome browser

  1. Connect to the website using SSL (https://whatever)

2. Click on the lock symbol and then click on Details

  1. Since Chrome version 56, you do the following: go to the Three Dots Menu -> More Tools -> Developer Tools, then click on the Security Tab. This will give you a Security Overview with a View certificate button.

  2. Click on the View certificate button.

    A modal window will open. It has two panes. The top one shows the trust hierarchy of the site's certificate (the last one listed), the intermediate certificate(s), and the root certificate (the topmost one).

    The second, larger pane, shows the details of one of the certificates.

    There may be zero or more intermediate certificates.

    Note that the root certificate has a gold-bordered icon. The others have a blue border.

    See the screen shot below.

  3. To export a certificate:

    1. First click on the certificate's icon in the trust hierarchy.
    2. The certificate will be shown in the main part of the modal.
    3. Click on the certificate's large icon in the main part of the modal. Drag the icon to your desktop. Chrome will then copy the certificate to your desktop.

enter image description here

Larry K
  • 889
  • 7
  • 14
  • 1
    I had to drag the icon onto a text editor, desktop didn't work for me. – Cory Klein May 04 '17 at 19:23
  • 4
    For Chrome on Windows, after you click 'View certificate' the modal is different than Mac. Click the Details tab and then Copy to File...Then choose the format and filename, which is straightforward. – PolyTekPatrick Aug 30 '17 at 12:06
  • 1
    When I use Chrome v63 on Mac OS, the text file I get from dragging the certificate is human-readable, but not in any structured format that I can figure out how to convert into machine-readable form like X.509 .crt . – Jim DeLaHunt Dec 19 '17 at 02:06
  • no difference if opening from address bar or from this dev tab, and still can't download crt... – user25 Mar 31 '18 at 00:32
  • 3
    Not working anymore on Chrome 72.0.3626.121 – A. D'Alfonso Mar 13 '19 at 10:11
  • On Mac it is still working with Chrome 72.0.3626.121 for me. – Larry K Mar 13 '19 at 21:43
  • on mac Google Chrome Version 74.0.3729.131 (Official Build) (64-bit) tested work – ikel May 05 '19 at 06:40
  • But you can also get the **view certificate** modal window by clicking on the padlock icon to the left of the URL; that seems faster to me, than the steps 1 and 2 here? Then just proceed with step 4. chrome Version 83.0.4103.116 (Official Build) (64-bit) on macOS – auspicious99 Jul 20 '20 at 09:54
  • If you don't find the security tab (point 2) look at here : https://stackoverflow.com/questions/64657022/security-tab-missing-from-chrome-developers-tools – andreagalle Apr 22 '22 at 12:53
26

automated

-servername was required for me to get the right cert from the virtual host on our server.

openssl s_client -showcerts -connect host.name.com:443 -servername host.name.com </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > host.name.com.pem

you may also convert to a certificate for desktop

openssl x509 -inform PEM -in host.name.com.pem -outform DER -out host.name.com.cer

last part is to add it to your certs, not sure on windows
for mac keychain I used, should be similar...

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain host.name.com.cer

Artistan
  • 389
  • 3
  • 4
  • https://gist.github.com/Artistan/5219484efb2fe51cd064175b3d0d5971 – Artistan Jan 25 '18 at 15:59
  • Note that some applications have trouble with the System and SystemRoot keychains (Golang, I'm looking at YOU), so after installing and setting the trust for those levels, you may also want to copy it to your own user's `login.keychain` via the `Keychain Access` app, you can just browse to the certificate in System/SystemRoot and click and drag it to your `login` keychain. – dragon788 Nov 20 '18 at 22:45
  • 1
    @dragon788 - my intent was to automate this with command line and this works for me. Please share here if you find a solution for login.keychain via CLI as well! thanks! – Artistan Nov 21 '18 at 17:17
  • judging from what I've read on the web I believe just omitting the `-d` from the command will apply only to the user keychain instead of the System keychain. – dragon788 Nov 28 '18 at 21:18
  • If you are also adding an intermediate certificate(s) you will want to use `trustAsRoot` instead of `trustRoot` in order for it to get correctly added. – dragon788 Nov 29 '18 at 18:20
20

This is gbroiles' answer, but I wanted to point out that the cURL project has a page with a few more details on using openssl to save the remote server's SSL certificate:

  • openssl s_client -connect {HOSTNAME}:{PORT} | tee logfile
  • Type QUIT and press the Enter / Return key.
  • The certificate will be listed between "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.

  • If you want to see the data in the certificate, you can use:

    openssl x509 -inform PEM -in certfile -text -out certdata

    where certfile is the certificate extracted from logfile. Look in certdata.

Community
  • 1
Daniel Trebbien
  • 393
  • 1
  • 4
  • 10
  • This worked for me. To be a bit more explicit, I edited logfile and trimmed everything that was outside of the BEGIN CERTIFICATE and END CERTIFICATE and saved the result as certfile.pem (Not sure if the extension was necessary). – Michael Welch Oct 25 '18 at 19:52
4

This will give the results containing the certificates only

echo QUIT | \
openssl s_client -showcerts -connect hostname:port | \
awk '/-----BEGIN CERTIFICATE-----/ {p=1}; p; /-----END CERTIFICATE-----/ {p=0}'
Archimedes Trajano
  • 1,505
  • 1
  • 15
  • 21
1

Found a much easier way if on Windows. Tried Microsoft Edge (pre-chromium) and clicked on the lock in the address bar -> View certificate Dialog pops up with an "Export to File" button, which saves it as a .crt file.

Not much I'd use Edge for, but this was piece of cake.

Dale Wilbanks
  • 29
  • 3
0

on a windowz machine one can retrieve a server certificate on the Windows Terminal prompt and type the following command:

openssl s_client -connect www.github.com:443 -showcerts

Is a requirement to have installed openSSL. One can download it here: https://slproweb.com/products/Win32OpenSSL.html

open the openSSL/bin folder and type the command above.

Miguel Tomás
  • 115
  • 5