5

I am fetching a certificate chain with openssl s_client -showcerts -connect host.whatever:443 </dev/null.

In addition to that I would like to extract the root certificate form the chain programmatically in the format -----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----

Does anybody know of a functionality that is capable of that and already ships with OpenSSL?

Mike Stan
  • 53
  • 1
  • 1
  • 5

2 Answers2

9

openssl s_client shows you only the certificate chain send by the client. This chain usually does not include the root certificate itself. Instead the root certificate is only contained in the local trust store and is not send by the server. As far as I know there is no builtin way to get the root certificate for a connection using the openssl command line.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • Some chains also include the root certificate. I'll edit my question – Mike Stan Sep 05 '16 at 11:20
  • 2
    @MikeStan: yes, misconfigurations happen. Some servers send also certificates which do not belong at all to the chain and some send the wrong order. Apart from that it would be nice to not change the focus of the original question too much like you did (i.e. from root to x-th). If you want to just extract the x-th certificate this probably can be done with a small perl or python script, but its not included in the openssl command either. – Steffen Ullrich Sep 05 '16 at 11:25
  • Kk, yeah you are right otherwise your answer wouldn't make sense anymore, got it. I changed it back. Thanks, I'll will look into that – Mike Stan Sep 05 '16 at 11:34
1

It wouldn't make sense for the web server to send the root certificate and the browser should ignore it if it is sent (it MUST be in the local store). If it's an intermediate CA certificate then you'd retrieve it the way you're already using.

melds
  • 231
  • 2
  • 9