View and Export a remote server/host certificate chain using OpenSSL



Command to view the certificate of the remote host


openssl s_client -host vcd.vcloud.local -port 443 -prexit -showcerts

The sample output : 

[root@vcd91 logs]# openssl s_client -host vcd.vcloud.local -port 443 -prexit -showcerts
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 CN=localhost
 CN=localhost
-----BEGIN CERTIFICATE-----
MIIDJzCCAg+gAwIBAgIIGCO6ARMqzPcwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UE
AxMJbG9jYWxob3N0MB4XDTE4MDQxMjE2MjYxNFoXDTE5MDQxMjE2MjYxNFowFDES
MBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAqH8MhOvLYUXi9KnbykTclmMFMWyJsHH5mDu7uJBOF8flWIxBmyGjAseGYkw9
6D0zmEqJCseC0u1oNXyb1HH1rWHtwUmCtOwg/dVIOSaTVet8DjbhgjoTSU31lMll
.
.
.
.
.
.

zYpAgY6lonBKyjDUiRp//XkXiZjLyJZQfRXYEjrFt79EJ8/boQllFhHJlJaBGxt7
RoQTgc20b2gqalSwypb+xRhJeMYO7ZGEokNzq19FjDWKfog+Mt+OaDhpia29MR/2
An86du7h4oApMv4SlsOKw1dZ9Agv4vp68NN+3EZ8M9eAhjGIWlqBEnMSpmrNuPOx
NI6cdCzo3iPNgFlEYbehLttxziak1GNzCyehf0xCffia5rb/JZGcnM1CNPSIKFHK
puaHXKqEAGXvXC1WoYem21B6TsYg1FE+fHRLcm4HS0Mu2z4zgkq2dCujjA==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
---
SSL handshake has read 986 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA
    Session-ID: 5C9AE4DB020DBFDCA5091C2E34179A5CBF93BC829A60AC0F52551E3DDA1CAEA5
    Session-ID-ctx:
    Master-Key: 8A72DA9FCB1580033DFB35ABDBAEBB33AC73DCDCD43312EAB9DE47929696CAA48DA8526530E61B8B35DBC9775557F921
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1553655003
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

---
Certificate chain
 0 s:/CN=localhost
   i:/CN=localhost
-----BEGIN CERTIFICATE-----
MIIDJzCCAg+gAwIBAgIIGCO6ARMqzPcwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UE
AxMJbG9jYWxob3N0MB4XDTE4MDQxMjE2MjYxNFoXDTE5MDQxMjE2MjYxNFowFDES
MBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAqH8MhOvLYUXi9KnbykTclmMFMWyJsHH5mDu7uJBOF8flWIxBmyGjAseGYkw9
6D0zmEqJCseC0u1oNXyb1HH1rWHtwUmCtOwg/dVIOSaTVet8DjbhgjoTSU31lMll
.
.
.
.
.
.

An86du7h4oApMv4SlsOKw1dZ9Agv4vp68NN+3EZ8M9eAhjGIWlqBEnMSpmrNuPOx
NI6cdCzo3iPNgFlEYbehLttxziak1GNzCyehf0xCffia5rb/JZGcnM1CNPSIKFHK
puaHXKqEAGXvXC1WoYem21B6TsYg1FE+fHRLcm4HS0Mu2z4zgkq2dCujjA==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
---
SSL handshake has read 1039 bytes and written 684 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA
    Session-ID: 5C9AE4DB020DBFDCA5091C2E34179A5CBF93BC829A60AC0F52551E3DDA1CAEA5
    Session-ID-ctx:
    Master-Key: 8A72DA9FCB1580033DFB35ABDBAEBB33AC73DCDCD43312EAB9DE47929696CAA48DA8526530E61B8B35DBC9775557F921
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1553655003
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Command to view the certificate of the remote host

echo -n | openssl s_client -showcerts -connect vcd.vcloud.local:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/cert.pem

The above command will create a .PEM file in /tmp directory named cert.pem which will include the complete certificate chain of the remote host. 



Good luck! Cheers :) 






Comments

Popular posts from this blog

vCloud director 9.7 appliance deployment step by step guide

How to Install and Uninstall Guest agent for vRA Windows machines

Unable to change Provider VDC virtual hardware support beyond version 10