Retrieving SSL Certificates from Servers

This might be common knowledge on the web development community but today I am going to show you a quick trick to retrieve SSL certificates off servers.

This should work out of the box on Linux machines. For macOS and Windows installing a recent version OpenSSL is needed.

Mac Install

macOS comes with OpenSSL, but it's a prehistorically deprecated version, so a newer one is required. Beware that this brew version of OpenSSL is keg-only, which means it will not be symlinked into /usr/local. You can either call it from its installation path or add it to your PATH.

Install a current OpenSSL on the Mac is with brew:

brew install openssl

To execute it without adding to your path use:

/usr/local/Cellar/openssl/<VERSION>/bin/openssl

Where <VERSION> is the current version installed. At the writing of this article that is 1.0.2s, so the command would be:

/usr/local/Cellar/openssl/1.0.2s/bin/openssl

Windows Install

Download the setup program and install it: https://sourceforge.net/projects/openssl/

Retrieve SSL Certificates

To read the SSL certificates off servers you could issue the following command:

openssl s_client -showcerts -servername <SERVER> -connect <SERVER>:<PORT> < /dev/null

Where <SERVER> is the domain name of the server you are retrieving the certificate from and <PORT> the connection port, usually 443.

So to obtain the certificate for this website you would issue this:

openssl s_client -showcerts -servername mteam7.com -connect mteam7.com:443 < /dev/null

Reply From the Server

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mteam7.com
verify return:1
---
Certificate chain
 0 s:/CN=mteam7.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFgzCCBGugAwIBAgISA9yN5crmT14jp7xxsmiFXTw0MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA2MDQyMTQ5MDdaFw0x
OTA5MDIyMTQ5MDdaMBUxEzARBgNVBAMTCm10ZWFtNy5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDIOMsh+SQgD28RjR0ZA63DS0DobiXmhVdsoj0Y
XN5T94A2/df/jT7DNlgI+omq73D0lh6SoKPQkSRPz3VIsIc1qlMKBkej2feO2+T0
OtkqTP1ST4Rrsqs8cVajeuJQxeAMLkDnLoa/cfzHDgssyKFcy/Von0ZL3vHPTnnt
NNo0EdYYltH94S02A6rtgFCBewQt7bTjPFr9S9187GuNzE+4WibGOvY/6j3Z+9C8
4/DpshiT8KLUx47+jqM74L+w2clwtA70wuDC5rOB/KJE1Zwp3uxmvmNMPlY31Y9h
B/Cv1RS/t5TUEacn+iWoIKvq6A8e/h321jFU0OVIStte30r/AgMBAAGjggKWMIIC
kjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHM+usAfOGekBTsc+Q/wJ3vsK/ozMB8G
A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAu
BggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAv
BggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
TAYDVR0RBEUwQ4IRbWFjaW1nLm10ZWFtNy5jb22CCm10ZWFtNy5jb22CEndlYm1h
aWwubXRlYW03LmNvbYIOd3d3Lm10ZWFtNy5jb20wTAYDVR0gBEUwQzAIBgZngQwB
AgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRz
ZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgB0ftqDMa0zEJEh
nM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWskro2QAAAEAwBHMEUCIQDc+Xhlm/Mj
ONsZB5Ge+5wzi47pkGiL+ahjCD7Sb11c1QIgLDp1QbkPQj3tLJsG51ltv9Q3iYc5
dZPTKwzzq/e47egAdgBj8tvN6DvMLM8LcoQnV2szpI1hd4+9daY4scdoVEvYjQAA
AWskro1TAAAEAwBHMEUCIQCdhN0Rt42xTy/lb7HF7anW6Zvf/U0qN3sqkG6xdZIF
mwIgCCMNk7sY58rvTq7RNszfSG1JCATuuyiJNQrh8af33dAwDQYJKoZIhvcNAQEL
BQADggEBACLPow5Z0gudGE42k/9HnF/4n2qEDN/BPdV+Xy/A3mTFQB4Wax6h9FZL
UgOuhknJZhjIJpMq7LvpIToFrsO86d3ZhB0DvgeguRZGe63oMgQKPrrJNg5PEmNh
UQtLuI4ZGgDlLKzTPtWRBa+bDzedIlnI5M38LmlQRG+APyqMKBMSmsE2paEG/we+
/CyW7Skyp7vA4JwnwLaQ3nJrsmtwRNBFSsbm/A04jQ9/yHO58Z8M+xXP49QfTNaL
yzR+vkaRw0ekTPCFgjxpj2AF+u4v9JGvGpVEA1jlAVoyt2wwmB77+66encrbN+rb
gPzMmohLQmgx6j3zmcUfCYuqr8InZdk=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=mteam7.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3303 bytes and written 452 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 182E47CE260E83F35F2C1C2D436FAA491A9A72BBBCD2928AF7F9BF1AECBB0DF1
    Session-ID-ctx:
    Master-Key: A92B90ABA431D453C05D6FEC8B8575AD550E923815D1062CADFCABA9AFD55BFAC0EE5010110E7B9A335282AB3DFB6BBE
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 3a 51 bc 09 f9 84 27 5e-8e b4 c7 fa 9f f3 59 37   :Q....'^......Y7
    0010 - 62 33 55 e7 4e 2d 0d f7-45 5d a0 bf af c1 a3 34   b3U.N-..E].....4
    0020 - 13 ab e2 8c bf c8 2d da-0b 58 98 49 78 d7 ae 88   ......-..X.Ix...
    0030 - 74 e2 bb 78 0b 63 ae 65-6a 80 d2 4b 30 b8 25 11   t..x.c.ej..K0.%.
    0040 - fa 86 28 4a de dc 29 8a-ea 4e 80 74 6d 6b 2f 28   ..(J..)..N.tmk/(
    0050 - be dc f6 b2 78 c9 71 83-a5 0d ca 2c da ef 81 3a   ....x.q....,...:
    0060 - af aa a1 7c 5c 1d 14 87-0f a4 b9 5d 38 5f ce 2b   ...|\......]8_.+
    0070 - 64 68 f2 24 60 9d 46 5c-5e 87 4d 16 1e 3b d3 ca   dh.$`.F\^.M..;..
    0080 - f3 03 32 37 01 1c 23 b1-ea 04 39 3c 52 a7 1f 92   ..27..#...9aR...
    0090 - f1 c8 b5 8b 11 cb 6a 6b-98 ae f6 88 6e 60 f3 fd   ......jk....n`..
    00a0 - b7 7e 88 c3 e4 f2 6d aa-c4 5a de 1f 6c b6 28 8a   .~....m..Z..l.(.
    00b0 - d3 2f eb 42 ab 91 db d1-33 02 c7 48 63 71 d0 e5   ./.B....3..Hcq..
    00c0 - 67 67 22 2b b0 a6 51 00-12 22 c1 93 92 b9 8f 02   gg"+..Q.."......

    Start Time: 1565395712
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

The Certificate