How to save a remote server SSL certificate locally as a file

  • Kimvais

    I need to download an SSL certificate of a remote server (not HTTPS, but the SSL handshake should be the same as Google Chrome / IE / wget and curl all give certificate check fail errors) and add the certificate as trusted in my laptops Windows' certificate store since I am not able to get my IT guys to give me the CA cert.

    this is for office commnunicator so I cannot really use the actual client to get the cert.

    How do I do this, I have Windows 7 and a pile of Linuxes handy so any tool / scripting language is fine.

  • Answers
  • 8088

    If you have access to OpenSSL, try

    openssl s_client -connect {HOSTNAME}:{PORT} -showcerts

    replacing {HOSTNAME} and {PORT} with whatever your values are.

  • Robert Siemer

    To be honest, I have never tried this before (never needed to) however, I have just tried in Firefox and it seems to work for saving:

    1. Click on the SSL certificate icon at the top / Padlock at the bottom.
    2. Click View Certificate
    3. Click on the Details Tab
    4. Chose which certificate you want from the hierarchy [not circled in picture]
    5. Click Export

    alt text

  • elec3647

    A quick method to get the certificate pulled and downloaded would be to run the following command which pipes the output from the -showcerts to the x509 ssl command which just strips everything extraneous off. For example:

    openssl s_client -showcerts -connect </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem
  • Daniel Trebbien

    This is gbroiles' answer, but I wanted to point out that the cURL project has a page with a few more details on using openssl to save the remote server's SSL certificate:

    • openssl s_client -connect {HOSTNAME}:{PORT} | tee logfile
    • Type QUIT and press the Enter / Return key.
    • The certificate will be listed between "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.
    • If you want to see the data in the certificate, you can use:

      openssl x509 -inform PEM -in certfile -text -out certdata

      where certfile is the certificate extracted from logfile. Look in certdata.

  • Related Question

    How to install a CA key (self signed SSL) on ubuntu?
  • bstpierre

    I have a bunch of machines that need to fetch https: off a server (or collection of servers). I'm operating a CA and self-signing the certificates on the server(s).

    The client machines are running ubuntu. Some of the fetches are via apt, some via wget.

    How do I install the CA's certificate on the clients so that all of its certs are recognized without warnings or errors? (Just the directory location is sufficient, I'll package it in an appropriate way.)


  • Related Answers
  • w4g3n3r

    Copying the *.pem file for your certification authority to /etc/ssl/certs/ should do the trick.

  • Jakob

    On Ubuntu 12.04 (precise), you have to drop the certificate file to /usr/local/share/ca-certificates and it has to end ".crt".

    Then run update-ca-certificates. It should tell you: "1 added, 0 removed; done."

    Note that unfortunately firefox does not honor the system installed certificates ( ). You can use wget or w3m, which do honor them, to test if the certificate works.

  • Fotis

    You'll have to copy the certificate of the root CA to the /etc/ssl/certs directory in PEM format. Then you must run the update-ca-certificates script which will add the certificate to the certificate bundle (/etc/ssl/certs/ca-certificates.crt) and make the symlink from the file to its hash value.

  • Thomas

    Not what you asked, but I recommend for certs. It's free but installed by default in all browsers. It is in more browsers than your self-signed cert though.