Glam Prestige Journal

Bright entertainment trends with youth appeal.

I need to download an SSL certificate of a remote server (not HTTPS, but the SSL handshake should be the same as Google Chrome / IE / wget and curl all give certificate check fail errors) and add the certificate as trusted in my laptops Windows' certificate store since I am not able to get my IT guys to give me the CA cert.

this is for office communications so I cannot really use the actual client to get the cert.

How do I do this, I have Windows 7 and a pile of Linuxes handy so any tool / scripting language is fine.

2

8 Answers

If you have access to OpenSSL, try 

openssl s_client -connect {HOSTNAME}:{PORT} -showcerts

replacing {HOSTNAME} and {PORT} with whatever your values are.

8

A quick method to get the certificate pulled and downloaded would be to run the following command which pipes the output from the -showcerts to the x509 ssl command which just strips everything extraneous off. For example:

openssl s_client -showcerts -connect server.edu:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

To use the certificate, with wget,

wget https:/server.edu:443/somepage --ca-certificate=mycertfile.pem
10

To be honest, I have never tried this before (never needed to) however, I have just tried in Firefox and it seems to work for saving:

  1. Click on the SSL certificate icon at the top / Padlock at the bottom.
  2. Click View Certificate
  3. Click on the Details Tab
  4. Chose which certificate you want from the hierarchy [not circled in picture]
  5. Click Export

alt text

9

Exporting a certificate using the Chrome browser

  1. Connect to the website using SSL ()

2. Click on the lock symbol and then click on Details

  1. Since Chrome version 56, you do the following: go to the Three Dots Menu -> More Tools -> Developer Tools, then click on the Security Tab. This will give you a Security Overview with a View certificate button.

  2. Click on the View certificate button.

    A modal window will open. It has two panes. The top one shows the trust hierarchy of the site's certificate (the last one listed), the intermediate certificate(s), and the root certificate (the topmost one).

    The second, larger pane, shows the details of one of the certificates.

    There may be zero or more intermediate certificates.

    Note that the root certificate has a gold-bordered icon. The others have a blue border.

    See the screen shot below.

  3. To export a certificate:

    1. First click on the certificate's icon in the trust hierarchy.
    2. The certificate will be shown in the main part of the modal.
    3. Click on the certificate's large icon in the main part of the modal. Drag the icon to your desktop. Chrome will then copy the certificate to your desktop.

enter image description here

9

automated

-servername was required for me to get the right cert from the virtual host on our server.

openssl s_client -showcerts -connect host.name.com:443 -servername host.name.com </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > host.name.com.pem

you may also convert to a certificate for desktop

openssl x509 -inform PEM -in host.name.com.pem -outform DER -out host.name.com.cer

last part is to add it to your certs, not sure on windows
for mac keychain I used, should be similar...

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain host.name.com.cer

5

This is gbroiles' answer, but I wanted to point out that the cURL project has a page with a few more details on using openssl to save the remote server's SSL certificate:

  • openssl s_client -connect {HOSTNAME}:{PORT} | tee logfile
  • Type QUIT and press the Enter / Return key.
  • The certificate will be listed between "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.

  • If you want to see the data in the certificate, you can use:

    openssl x509 -inform PEM -in certfile -text -out certdata

    where certfile is the certificate extracted from logfile. Look in certdata.

1

This will give the results containing the certificates only

echo QUIT | \
openssl s_client -showcerts -connect hostname:port | \
awk '/-----BEGIN CERTIFICATE-----/ {p=1}; p; /-----END CERTIFICATE-----/ {p=0}'
1

Found a much easier way if on Windows. Tried Microsoft Edge (pre-chromium) and clicked on the lock in the address bar -> View certificate Dialog pops up with an "Export to File" button, which saves it as a .crt file.

Not much I'd use Edge for, but this was piece of cake.

Related Journals