View and Export a remote server/host certificate chain using OpenSSL
Command to view the certificate of the remote host:
openssl s_client -host vcd.vcloud.local -port 443 -prexit -showcerts
The sample output :
[root@vcd91 logs]# openssl s_client -host vcd.vcloud.local -port 443 -prexit -showcerts
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
CN=localhost
CN=localhost
-----BEGIN CERTIFICATE-----
MIIDJzCCAg+gAwIBAgIIGCO6ARMqzPcwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UE
AxMJbG9jYWxob3N0MB4XDTE4MDQxMjE2MjYxNFoXDTE5MDQxMjE2MjYxNFowFDES
MBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAqH8MhOvLYUXi9KnbykTclmMFMWyJsHH5mDu7uJBOF8flWIxBmyGjAseGYkw9
6D0zmEqJCseC0u1oNXyb1HH1rWHtwUmCtOwg/dVIOSaTVet8DjbhgjoTSU31lMll
.
.
.
.
.
.
zYpAgY6lonBKyjDUiRp//XkXiZjLyJZQfRXYEjrFt79EJ8/boQllFhHJlJaBGxt7
RoQTgc20b2gqalSwypb+xRhJeMYO7ZGEokNzq19FjDWKfog+Mt+OaDhpia29MR/2
An86du7h4oApMv4SlsOKw1dZ9Agv4vp68NN+3EZ8M9eAhjGIWlqBEnMSpmrNuPOx
NI6cdCzo3iPNgFlEYbehLttxziak1GNzCyehf0xCffia5rb/JZGcnM1CNPSIKFHK
puaHXKqEAGXvXC1WoYem21B6TsYg1FE+fHRLcm4HS0Mu2z4zgkq2dCujjA==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
---
SSL handshake has read 986 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA
Session-ID: 5C9AE4DB020DBFDCA5091C2E34179A5CBF93BC829A60AC0F52551E3DDA1CAEA5
Session-ID-ctx:
Master-Key: 8A72DA9FCB1580033DFB35ABDBAEBB33AC73DCDCD43312EAB9DE47929696CAA48DA8526530E61B8B35DBC9775557F921
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1553655003
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
---
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
-----BEGIN CERTIFICATE-----
MIIDJzCCAg+gAwIBAgIIGCO6ARMqzPcwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UE
AxMJbG9jYWxob3N0MB4XDTE4MDQxMjE2MjYxNFoXDTE5MDQxMjE2MjYxNFowFDES
MBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAqH8MhOvLYUXi9KnbykTclmMFMWyJsHH5mDu7uJBOF8flWIxBmyGjAseGYkw9
6D0zmEqJCseC0u1oNXyb1HH1rWHtwUmCtOwg/dVIOSaTVet8DjbhgjoTSU31lMll
.
.
.
.
.
.
An86du7h4oApMv4SlsOKw1dZ9Agv4vp68NN+3EZ8M9eAhjGIWlqBEnMSpmrNuPOx
NI6cdCzo3iPNgFlEYbehLttxziak1GNzCyehf0xCffia5rb/JZGcnM1CNPSIKFHK
puaHXKqEAGXvXC1WoYem21B6TsYg1FE+fHRLcm4HS0Mu2z4zgkq2dCujjA==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
---
SSL handshake has read 1039 bytes and written 684 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA
Session-ID: 5C9AE4DB020DBFDCA5091C2E34179A5CBF93BC829A60AC0F52551E3DDA1CAEA5
Session-ID-ctx:
Master-Key: 8A72DA9FCB1580033DFB35ABDBAEBB33AC73DCDCD43312EAB9DE47929696CAA48DA8526530E61B8B35DBC9775557F921
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1553655003
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
Command to view the certificate of the remote host:
echo -n | openssl s_client -showcerts -connect vcd.vcloud.local:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/cert.pem
The above command will create a .PEM file in /tmp directory named cert.pem which will include the complete certificate chain of the remote host.
Good luck! Cheers :)
Comments
Post a Comment