Using openssl to get the certificate from a server
I am trying to get the certificate of a remote server, which I can then use to add to my keystore and use within my java application.
A senior dev (who is on holidays :( ) informed me I can run this:
openssl s_client -connect host.host:9999
To get a raw certificate dumped out, which I can then copy and export. I receive the following output:
depth=1 /C=NZ/ST=Test State or Province/O=Organization Name/OU=Organizational Unit Name/CN=Test CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
23177:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
23177:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
I have also tried with this option
-showcerts
and this one (running on debian mind you)
-CApath /etc/ssl/certs/
But get the same error.
This source says I can use that CApath flag but it doesn't seem to help. I tried multiple paths to no avail.
Please let me know where I'm going wrong.
Answer
With SNI
If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) you will need to send the correct hostname in order to get the right certificate.
openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null
Without SNI
If the remote server is not using SNI, then you can skip -servername parameter:
openssl s_client -showcerts -connect www.example.com:443 </dev/null
To view the full details of a site's cert you can use this chain of commands as well:
$ echo | \
openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \
openssl x509 -text