OpenSSL: Get all certificates from a website in plain text - JohnHau/mis GitHub Wiki

This snippet shows you how to get all certificates of a website in plain text. With a few OpenSSL commands one can get the website certificate plus intermediate certificates, however, if you feed that output to OpenSSL it only works on the first certificate. Using a bit of sed and bash magic we can feed all certificates one by one to OpenSSL.

Website certificate You can request a website's certificate using openssl s_client. To view the public key from google.com we can use the following command:

openssl s_client -connect google.com:443 </dev/null It will output a bunch of text, including the certificate, protocol and connection information and a part of the chain. If we just want the certificate we can use the following command:

openssl s_client -connect google.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' This will output only the public key.

Plain text If we feed that output into openssl again, we can output the certificate information in plain text:

openssl s_client -connect google.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -text This is all the information about a certificate:

Certificate: Data: Version: 3 (0x2) Serial Number: 66:79:66:fc:e2:c7:d0:2d Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2 Validity Not Before: Jan 15 14:34:20 2014 GMT Not After : May 15 00:00:00 2014 GMT Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a3:cb:4e:db:d1:59:dc:13:b2:89:1d:d0:31:2c: fb:f2:b2:55:a8:76:3c:d3:2b:00:f8:87:e6:b0:80: af:8f:46:ed:d8:35:72:1e:d0:55:26:a4:09:7e:71: b4:6b:28:df:c4:54:b3:17:5f:31:77:d1:a2:eb:2a: f4:e5:7c:5e:7c:2a:3d:39:b3:56:64:bf:65:45:86: ef:e1:b4:94:7b:df:6e:b9:e9:c7:ef:b0:12:b8:31: 54:58:a9:39:bd:33:8f:df:53:76:da:49:ae:bf:5e: f3:e7:f3:2f:6a:e5:9e:d9:fd:58:99:45:f7:a0:6f: 23:6e:88:8f:1d:3e:c3:50:28:a1:d6:ba:a6:56:50: f4:c0:a9:73:37:96:75:42:5b:2f:65:18:54:17:fa: 51:f7:74:f2:59:18:dc:e4:33:fb:88:d5:60:e4:7e: f7:65:57:02:fd:8d:f6:e3:74:53:c5:27:30:ec:85: b0:db:43:f0:1f:af:e5:c1:f5:c7:06:8b:11:a8:20: 50:df:98:72:b7:4b:0f:73:e7:d9:7a:b8:3d:51:e7: bc:d2:0f:12:27:d0:e2:f6:2e:0a:a9:c1:78:df:d6: d1:5f:59:9f:a2:44:ef:7c:24:ca:b9:f8:7e:fe:c2: 84:66:f7:f8:9d:41:19:42:61:90:52:5c:68:33:b8: b6:61 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:.google.com, DNS:.android.com, DNS:.appengine.google.com, DNS:.cloud.google.com, DNS:.google-analytics.com, DNS:.google.ca, DNS:.google.cl, DNS:.google.co.in, DNS:.google.co.jp, DNS:.google.co.uk, DNS:.google.com.ar, DNS:.google.com.au, DNS:.google.com.br, DNS:.google.com.co, DNS:.google.com.mx, DNS:.google.com.tr, DNS:.google.com.vn, DNS:.google.de, DNS:.google.es, DNS:.google.fr, DNS:.google.hu, DNS:.google.it, DNS:.google.nl, DNS:.google.pl, DNS:.google.pt, DNS:.googleapis.cn, DNS:.googlecommerce.com, DNS:.googlevideo.com, DNS:.gstatic.com, DNS:.urchin.com, DNS:.url.google.com, DNS:.youtube-nocookie.com, DNS:.youtube.com, DNS:.youtubeeducation.com, DNS:*.ytimg.com, DNS:android.com, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com Authority Information Access: CA Issuers - URI:http://pki.google.com/GIAG2.crt OCSP - URI:http://clients1.google.com/ocsp

        X509v3 Subject Key Identifier:
            61:54:7B:A4:44:E8:68:E2:D3:0D:CC:77:D4:29:35:3B:58:23:60:B3
        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 Authority Key Identifier:
            keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

        X509v3 Certificate Policies:
            Policy: 1.3.6.1.4.1.11129.2.5.1

        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://pki.google.com/GIAG2.crl

Signature Algorithm: sha1WithRSAEncryption
     6f:7b:07:5c:59:ce:7d:52:b3:bc:26:c7:7c:e8:6e:32:aa:fc:
     3e:67:0a:51:1c:4b:6e:bb:7d:69:eb:fc:7a:02:76:59:bf:86:
     97:50:ed:bd:ec:88:7c:d3:a0:a3:a6:27:fe:a0:21:55:76:da:
     1b:7c:22:82:1e:31:73:d3:25:33:2d:72:de:63:36:18:50:9e:
     49:bf:e3:78:c7:b4:33:38:b7:f8:10:93:a0:fa:5d:a7:4d:78:
     48:74:7f:dd:c6:aa:8f:eb:26:de:e3:6b:4f:4b:c7:3a:0c:b7:
     4c:c3:a9:bf:2b:46:b8:50:37:0b:05:e5:92:e4:9c:f3:36:bb:
     f1:75:ad:20:31:99:1e:3d:83:6e:e1:dd:13:67:1a:2a:f7:c6:
     e1:1d:4d:c4:4f:f8:e0:88:c5:3e:17:8b:15:5e:71:3d:69:99:
     56:ba:fb:7f:07:d6:33:0a:d0:27:aa:9d:ce:77:a9:af:a1:93:
     10:8c:27:48:1a:1f:62:48:04:8f:64:51:6d:52:e9:60:6d:a9:
     98:7b:43:d6:cc:66:69:65:40:d6:57:ff:06:f5:73:59:8f:1b:
     87:9b:36:5b:41:06:4a:5e:25:69:bb:f0:70:49:72:0b:d8:67:
     7b:ed:d4:b3:c8:79:c8:58:5e:f3:f1:f5:98:fa:80:03:d3:7d:
     8a:d0:c8:76

Multiple certificates Using the -showcerts option of s_client we can show all certificates the website sends, including the issuing and intermediate certificates:

openssl s_client -connect google.com:443 -showcerts 2>&1 < /dev/null If we want to receive those certificates without all the other output we can use the same sed trick as before:

openssl s_client -connect google.com:443 -showcerts 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' However, if we feed that into openssl again to receive the plain text output we only get output for the first certificate:

openssl s_client -connect google.com:443 -showcerts 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -text According to the OpenSSL documentation the x509 option only supports one certificate at a time. Using the following one liner we:

Set the Internal Field Separator to a colon (:). Get all the certificates for google.com in a variable named certificates. We use a group of sed commands to first print the certificates, then we substitute the beginning of the -----BEGIN line with a colon (:) and then the original ----BEGIN line resulting in :-----BEGIN. We do a for loop on all certificates in the output, split by a colon (:). We feed those one by one to OpenSSL We change the Internal Field Seperator back to what it was. OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect google.com:443 -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -text; done; IFS=$OLDIFS

Do note that you need the GNU version of sed. The OS X or BSD version will not work.

The output are all certificates in text format:

        X509v3 Subject Key Identifier:
            61:54:7B:A4:44:E8:68:E2:D3:0D:CC:77:D4:29:35:3B:58:23:60:B3
        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 Authority Key Identifier:
            keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

        X509v3 Certificate Policies:
            Policy: 1.3.6.1.4.1.11129.2.5.1

        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://pki.google.com/GIAG2.crl

Signature Algorithm: sha1WithRSAEncryption
     6f:7b:07:5c:59:ce:7d:52:b3:bc:26:c7:7c:e8:6e:32:aa:fc:
     3e:67:0a:51:1c:4b:6e:bb:7d:69:eb:fc:7a:02:76:59:bf:86:
     97:50:ed:bd:ec:88:7c:d3:a0:a3:a6:27:fe:a0:21:55:76:da:
     1b:7c:22:82:1e:31:73:d3:25:33:2d:72:de:63:36:18:50:9e:
     49:bf:e3:78:c7:b4:33:38:b7:f8:10:93:a0:fa:5d:a7:4d:78:
     48:74:7f:dd:c6:aa:8f:eb:26:de:e3:6b:4f:4b:c7:3a:0c:b7:
     4c:c3:a9:bf:2b:46:b8:50:37:0b:05:e5:92:e4:9c:f3:36:bb:
     f1:75:ad:20:31:99:1e:3d:83:6e:e1:dd:13:67:1a:2a:f7:c6:
     e1:1d:4d:c4:4f:f8:e0:88:c5:3e:17:8b:15:5e:71:3d:69:99:
     56:ba:fb:7f:07:d6:33:0a:d0:27:aa:9d:ce:77:a9:af:a1:93:
     10:8c:27:48:1a:1f:62:48:04:8f:64:51:6d:52:e9:60:6d:a9:
     98:7b:43:d6:cc:66:69:65:40:d6:57:ff:06:f5:73:59:8f:1b:
     87:9b:36:5b:41:06:4a:5e:25:69:bb:f0:70:49:72:0b:d8:67:
     7b:ed:d4:b3:c8:79:c8:58:5e:f3:f1:f5:98:fa:80:03:d3:7d:
     8a:d0:c8:76

Certificate: Data: Version: 3 (0x2) Serial Number: 146025 (0x23a69) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA Validity Not Before: Apr 5 15:15:55 2013 GMT Not After : Apr 4 15:15:55 2015 GMT Subject: C=US, O=Google Inc, CN=Google Internet Authority G2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9c:2a:04:77:5c:d8:50:91:3a:06:a3:82:e0:d8: 50:48:bc:89:3f:f1:19:70:1a:88:46:7e:e0:8f:c5: f1:89:ce:21:ee:5a:fe:61:0d:b7:32:44:89:a0:74: 0b:53:4f:55:a4:ce:82:62:95:ee:eb:59:5f:c6:e1: 05:80:12:c4:5e:94:3f:bc:5b:48:38:f4:53:f7:24: e6:fb:91:e9:15:c4:cf:f4:53:0d:f4:4a:fc:9f:54: de:7d:be:a0:6b:6f:87:c0:d0:50:1f:28:30:03:40: da:08:73:51:6c:7f:ff:3a:3c:a7:37:06:8e:bd:4b: 11:04:eb:7d:24:de:e6:f9:fc:31:71:fb:94:d5:60: f3:2e:4a:af:42:d2:cb:ea:c4:6a:1a:b2:cc:53:dd: 15:4b:8b:1f:c8:19:61:1f:cd:9d:a8:3e:63:2b:84: 35:69:65:84:c8:19:c5:46:22:f8:53:95:be:e3:80: 4a:10:c6:2a:ec:ba:97:20:11:c7:39:99:10:04:a0: f0:61:7a:95:25:8c:4e:52:75:e2:b6:ed:08:ca:14: fc:ce:22:6a:b3:4e:cf:46:03:97:97:03:7e:c0:b1: de:7b:af:45:33:cf:ba:3e:71:b7:de:f4:25:25:c2: 0d:35:89:9d:9d:fb:0e:11:79:89:1e:37:c5:af:8e: 72:69 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E

        X509v3 Subject Key Identifier:
            4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
        X509v3 Basic Constraints: critical
            CA:TRUE, pathlen:0
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://crl.geotrust.com/crls/gtglobal.crl

        Authority Information Access:
            OCSP - URI:http://gtglobal-ocsp.geotrust.com

        X509v3 Certificate Policies:
            Policy: 1.3.6.1.4.1.11129.2.5.1

Signature Algorithm: sha1WithRSAEncryption
     36:d7:06:80:11:27:ad:2a:14:9b:38:77:b3:23:a0:75:58:bb:
     b1:7e:83:42:ba:72:da:1e:d8:8e:36:06:97:e0:f0:95:3b:37:
     fd:1b:42:58:fe:22:c8:6b:bd:38:5e:d1:3b:25:6e:12:eb:5e:
     67:76:46:40:90:da:14:c8:78:0d:ed:95:66:da:8e:86:6f:80:
     a1:ba:56:32:95:86:dc:dc:6a:ca:04:8c:5b:7f:f6:bf:cc:6f:
     85:03:58:c3:68:51:13:cd:fd:c8:f7:79:3d:99:35:f0:56:a3:
     bd:e0:59:ed:4f:44:09:a3:9e:38:7a:f6:46:d1:1d:12:9d:4f:
     be:d0:40:fc:55:fe:06:5e:3c:da:1c:56:bd:96:51:7b:6f:57:
     2a:db:a2:aa:96:dc:8c:74:c2:95:be:f0:6e:95:13:ff:17:f0:
     3c:ac:b2:10:8d:cc:73:fb:e8:8f:02:c6:f0:fb:33:b3:95:3b:
     e3:c2:cb:68:58:73:db:a8:24:62:3b:06:35:9d:0d:a9:33:bd:
     78:03:90:2e:4c:78:5d:50:3a:81:d4:ee:a0:c8:70:38:dc:b2:
     f9:67:fa:87:40:5d:61:c0:51:8f:6b:83:6b:cd:05:3a:ca:e1:
     a7:05:78:fc:ca:da:94:d0:2c:08:3d:7e:16:79:c8:a0:50:20:
     24:54:33:71

Certificate: Data: Version: 3 (0x2) Serial Number: 1227750 (0x12bbe6) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Validity Not Before: May 21 04:00:00 2002 GMT Not After : Aug 21 04:00:00 2018 GMT Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df: 3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8: 43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29: bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4: 60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3: ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92: 2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d: 80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14: 15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd: d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6: d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5: 5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39: 19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05: 9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2: fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32: eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07: 36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b: e4:f9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

        X509v3 Subject Key Identifier:
            C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://crl.geotrust.com/crls/secureca.crl

        X509v3 Certificate Policies:
            Policy: X509v3 Any Policy
              CPS: https://www.geotrust.com/resources/repository

Signature Algorithm: sha1WithRSAEncryption
     76:e1:12:6e:4e:4b:16:12:86:30:06:b2:81:08:cf:f0:08:c7:
     c7:71:7e:66:ee:c2:ed:d4:3b:1f:ff:f0:f0:c8:4e:d6:43:38:
     b0:b9:30:7d:18:d0:55:83:a2:6a:cb:36:11:9c:e8:48:66:a3:
     6d:7f:b8:13:d4:47:fe:8b:5a:5c:73:fc:ae:d9:1b:32:19:38:
     ab:97:34:14:aa:96:d2:eb:a3:1c:14:08:49:b6:bb:e5:91:ef:
     83:36:eb:1d:56:6f:ca:da:bc:73:63:90:e4:7f:7b:3e:22:cb:
     3d:07:ed:5f:38:74:9c:e3:03:50:4e:a1:af:98:ee:61:f2:84:
     3f:12

Other certificate information You can also retrieve for example the OCSP URL of all certificates:

OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect google.com:443 -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -ocsp_uri; done; IFS=$OLDIFS Output:

http://clients1.google.com/ocsp http://gtglobal-ocsp.geotrust.com Serial Numbers:

serial=667966FCE2C7D02D serial=023A69 serial=12BBE6 The subject in the certificates:

subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com subject= /C=US/O=Google Inc/CN=Google Internet Authority G2 subject= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA All the fingerprints:

subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com SHA1 Fingerprint=99:00:2C:A4:91:BC:53:D7:53:75:B1:8B:F9:24:55:26:4B:69:A4:34 subject= /C=US/O=Google Inc/CN=Google Internet Authority G2 SHA1 Fingerprint=D8:3C:1A:7F:4D:04:46:BB:20:81:B8:1A:16:70:F8:18:34:51:CA:24 subject= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA SHA1 Fingerprint=73:59:75:5C:6D:F9:A0:AB:C3:06:0B:CE:36:95:64:C8:EC:45:42:A3