View and Export a remote server/host certificate chain using OpenSSL

Command to view the certificate of the remote host: 

openssl s_client -host vcd.vcloud.local -port 443 -prexit -showcerts

The sample output : 

[root@vcd91 logs]# openssl s_client -host vcd.vcloud.local -port 443 -prexit -showcerts

CONNECTED(00000003)

depth=0 CN = localhost

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = localhost

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

 CN=localhost

 CN=localhost

-----BEGIN CERTIFICATE-----

MIIDJzCCAg+gAwIBAgIIGCO6ARMqzPcwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UE

AxMJbG9jYWxob3N0MB4XDTE4MDQxMjE2MjYxNFoXDTE5MDQxMjE2MjYxNFowFDES

MBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC

AQEAqH8MhOvLYUXi9KnbykTclmMFMWyJsHH5mDu7uJBOF8flWIxBmyGjAseGYkw9

6D0zmEqJCseC0u1oNXyb1HH1rWHtwUmCtOwg/dVIOSaTVet8DjbhgjoTSU31lMll

.

.

.

.

.

.

zYpAgY6lonBKyjDUiRp//XkXiZjLyJZQfRXYEjrFt79EJ8/boQllFhHJlJaBGxt7

RoQTgc20b2gqalSwypb+xRhJeMYO7ZGEokNzq19FjDWKfog+Mt+OaDhpia29MR/2

An86du7h4oApMv4SlsOKw1dZ9Agv4vp68NN+3EZ8M9eAhjGIWlqBEnMSpmrNuPOx

NI6cdCzo3iPNgFlEYbehLttxziak1GNzCyehf0xCffia5rb/JZGcnM1CNPSIKFHK

puaHXKqEAGXvXC1WoYem21B6TsYg1FE+fHRLcm4HS0Mu2z4zgkq2dCujjA==

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=localhost

issuer=/CN=localhost

---

No client certificate CA names sent

---

SSL handshake has read 986 bytes and written 631 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : AES256-SHA

    Session-ID: 5C9AE4DB020DBFDCA5091C2E34179A5CBF93BC829A60AC0F52551E3DDA1CAEA5

    Session-ID-ctx:

    Master-Key: 8A72DA9FCB1580033DFB35ABDBAEBB33AC73DCDCD43312EAB9DE47929696CAA48DA8526530E61B8B35DBC9775557F921

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1553655003

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

---

Certificate chain

 0 s:/CN=localhost

   i:/CN=localhost

-----BEGIN CERTIFICATE-----

MIIDJzCCAg+gAwIBAgIIGCO6ARMqzPcwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UE

AxMJbG9jYWxob3N0MB4XDTE4MDQxMjE2MjYxNFoXDTE5MDQxMjE2MjYxNFowFDES

MBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC

AQEAqH8MhOvLYUXi9KnbykTclmMFMWyJsHH5mDu7uJBOF8flWIxBmyGjAseGYkw9

6D0zmEqJCseC0u1oNXyb1HH1rWHtwUmCtOwg/dVIOSaTVet8DjbhgjoTSU31lMll

.

.

.

.

.

.

An86du7h4oApMv4SlsOKw1dZ9Agv4vp68NN+3EZ8M9eAhjGIWlqBEnMSpmrNuPOx

NI6cdCzo3iPNgFlEYbehLttxziak1GNzCyehf0xCffia5rb/JZGcnM1CNPSIKFHK

puaHXKqEAGXvXC1WoYem21B6TsYg1FE+fHRLcm4HS0Mu2z4zgkq2dCujjA==

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=localhost

issuer=/CN=localhost

---

No client certificate CA names sent

---

SSL handshake has read 1039 bytes and written 684 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : AES256-SHA

    Session-ID: 5C9AE4DB020DBFDCA5091C2E34179A5CBF93BC829A60AC0F52551E3DDA1CAEA5

    Session-ID-ctx:

    Master-Key: 8A72DA9FCB1580033DFB35ABDBAEBB33AC73DCDCD43312EAB9DE47929696CAA48DA8526530E61B8B35DBC9775557F921

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1553655003

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

Command to view the certificate of the remote host: 

echo -n | openssl s_client -showcerts -connect vcd.vcloud.local:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/cert.pem

The above command will create a .PEM file in /tmp directory named cert.pem which will include the complete certificate chain of the remote host. 

Good luck! Cheers :)