Using openssl to get the certificate from a server
Categories:
Extracting Server Certificates with OpenSSL
Learn how to use the OpenSSL command-line tool to retrieve and inspect SSL/TLS certificates from remote servers, essential for security auditing and troubleshooting.
SSL/TLS certificates are fundamental to secure communication over the internet, verifying the identity of servers and encrypting data. When troubleshooting connectivity issues, auditing security configurations, or simply wanting to inspect a server's certificate details, openssl is an invaluable command-line tool. This article will guide you through the process of using openssl to connect to a remote server, retrieve its certificate, and display its contents.
Understanding the OpenSSL s_client Command
The openssl s_client command is designed to implement a generic SSL/TLS client that can connect to a remote host using SSL/TLS. It's commonly used for debugging SSL/TLS connections, but it also provides a powerful way to extract certificate information. When you connect to a server using s_client, it performs the SSL/TLS handshake, and during this process, the server sends its certificate chain to the client. We can then capture and process this information.
sequenceDiagram
participant Client
participant Server
Client->>Server: TCP Handshake (SYN, SYN-ACK, ACK)
Client->>Server: ClientHello (TLS version, cipher suites)
Server->>Client: ServerHello (chosen TLS version, cipher suite)
Server->>Client: Certificate (Server's public certificate)
Server->>Client: ServerKeyExchange (if needed)
Server->>Client: ServerHelloDone
Client->>Server: ClientKeyExchange (premaster secret)
Client->>Server: ChangeCipherSpec
Client->>Server: Encrypted Handshake Message
Server->>Client: ChangeCipherSpec
Server->>Client: Encrypted Handshake Message
Client-->>Server: Application Data (Encrypted)
Server-->>Client: Application Data (Encrypted)Simplified TLS Handshake Process, highlighting Certificate Exchange
Retrieving a Server's Certificate
To retrieve a server's certificate, you'll use openssl s_client with a few key options. The most important options are -connect to specify the host and port, and -showcerts to display the certificate chain. We'll also use -servername for Server Name Indication (SNI), which is crucial for servers hosting multiple SSL certificates on a single IP address.
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -text -noout
Basic command to retrieve and display a server's certificate.
echo | part sends an empty string to s_client to immediately close the connection after the handshake, preventing it from waiting for user input. 2>/dev/null redirects standard error to /dev/null to suppress verbose connection information, leaving only the certificate output.Breaking Down the Command and Options
Let's dissect the command used to understand each component:
openssl s_client: Initiates an SSL/TLS client connection.-servername example.com: Specifies the hostname for SNI. This is vital for servers that host multiple domains with different certificates on the same IP address. Replaceexample.comwith your target domain.-connect example.com:443: Defines the target host and port. Port 443 is the standard for HTTPS. Replaceexample.comwith your target domain.2>/dev/null: Redirects error output (like connection details) to/dev/null, keeping the output clean.| openssl x509 -text -noout: This pipes the raw certificate output froms_clienttoopenssl x509. Thex509utility is used for X.509 certificate display and manipulation.-textdisplays the certificate in human-readable text format, and-nooutprevents the output of the encoded version of the certificate.
1. Identify Target
Determine the hostname (e.g., www.google.com) and port (usually 443) of the server whose certificate you want to retrieve.
2. Execute Command
Open your terminal and run the openssl command, replacing example.com with your target hostname:
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -text -noout
3. Review Output
Examine the output. You will see details like the certificate's Subject, Issuer, Validity period, Public Key information, Signature Algorithm, and X509v3 extensions (e.g., Subject Alternative Names, Key Usage).
4. Save Certificate (Optional)
If you need to save the certificate to a file, remove the | openssl x509 -text -noout part and redirect the output to a file. Then, you can process the file later:
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null > server.cert
openssl x509 -in server.cert -text -noout
openssl x509 -text -noout will show the leaf certificate (the server's certificate). If you want to see the entire certificate chain (including intermediate and root certificates), you can omit the | openssl x509 -text -noout part and manually parse the output, or use openssl s_client -showcerts and then extract each certificate block.