Extracting SSL certificates from websites can be crucial for verifying server identities and securing communications.

This guide walks you through using OpenSSL to retrieve certificates directly from command line, helping you understand the security measures of websites you interact with.

Knowing how to extract SSL certificates allows you to:

• Verify the authenticity of a website’s SSL/TLS certificate.
• Check certificate details such as issuer, expiration date, and subject.

The openssl tool

For this you'll need the OpenSSL commandline tool, which offers a set of tools for the SSL and TLS protocols.

Below are some operations that can be performed, we'll assume the domain of your site is store in the $site shell variable. You can set this variable before running the oneliners, as below.

site=example.com

Fetching information

If you only need to see the information, without actually downloading the certificate (such as checking the validity periods, the CN or what is the root CA), you can do that with the oneliner below.

echo | openssl s_client -servername $site -connect $site:443 2>/dev/null | openssl x509 -text -noout

Download certificate in PEM format

PEM is a common format to deal with certificates, below is a oneliner to retrieve the certificate into a file.

echo | openssl s_client -servername $site -connect $site:443 2>/dev/null | openssl x509 -outform PEM > $site.crt

You can later examine the certificate file using openssl as well

openssl x509 -in $site.crt -text -noout

Download whole certificate chain

If you want the whole chain of certificates (concatenated one after another), use the below command.

echo | openssl s_client -showcerts -servername $site -connect $site:443 2>/dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' > $site-chain.pem