Using openssl to get the certificate from a server
While I agree with Ari's answer (and upvoted it :), I needed to do an extra step to get it to work with Java on Windows (where it needed to be deployed):
openssl s_client -showcerts -connect www.example.com:443 < /dev/null | openssl x509 -outform DER > derp.der
Before adding the openssl x509 -outform DER
conversion, I was getting an error from keytool on Windows complaining about the certificate's format. Importing the .der file worked fine.
It turns out there is more complexity here: I needed to provide many more details to get this rolling. I think its something to do with the fact that its a connection that needs client authentication, and the hankshake needed more info to continue to the stage where the certificates were dumped.
Here is my working command:
openssl s_client -connect host:port -key our_private_key.pem -showcerts \
-cert our_server-signed_cert.pem
Hopefully this is a nudge in the right direction for anyone who could do with some more info.
A one-liner to extract the certificate from a remote server in PEM format, this time using sed
:
openssl s_client -connect www.google.com:443 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
With SNI
If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) you will need to send the correct hostname in order to get the right certificate.
openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null
Without SNI
If the remote server is not using SNI, then you can skip -servername
parameter:
openssl s_client -showcerts -connect www.example.com:443 </dev/null
To view the full details of a site's cert you can use this chain of commands as well:
$ echo | \
openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \
openssl x509 -text