Openssl: Extract root certificate from certificate chain?

ssl ssl-certificate openssl certificate-authority
11,300

Solution 1

openssl s_client shows you only the certificate chain send by the client. This chain usually does not include the root certificate itself. Instead the root certificate is only contained in the local trust store and is not send by the server. As far as I know there is no builtin way to get the root certificate for a connection using the openssl command line.

Solution 2

It wouldn't make sense for the web server to send the root certificate and the browser should ignore it if it is sent (it MUST be in the local store). If it's an intermediate CA certificate then you'd retrieve it the way you're already using.

Share:
11,300

Related videos on Youtube

Mike Stan
Author by

Mike Stan

Updated on September 18, 2022

Comments

  • Mike Stan
    Mike Stan almost 2 years

    I am fetching a certificate chain with openssl s_client -showcerts -connect host.whatever:443 </dev/null.

    In addition to that I would like to extract the root certificate form the chain programmatically in the format -----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----

    Does anybody know of a functionality that is capable of that and already ships with OpenSSL?

  • Mike Stan
    Mike Stan almost 8 years
    Some chains also include the root certificate. I'll edit my question
  • Steffen Ullrich
    Steffen Ullrich almost 8 years
    @MikeStan: yes, misconfigurations happen. Some servers send also certificates which do not belong at all to the chain and some send the wrong order. Apart from that it would be nice to not change the focus of the original question too much like you did (i.e. from root to x-th). If you want to just extract the x-th certificate this probably can be done with a small perl or python script, but its not included in the openssl command either.
  • Mike Stan
    Mike Stan almost 8 years
    Kk, yeah you are right otherwise your answer wouldn't make sense anymore, got it. I changed it back. Thanks, I'll will look into that

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

ssl certificate self signed instead of valid
Can't make httpd use correct SSL
What does "tlsv1 alert unknown ca" mean?
Squid: how to enable verification for SSL self-signed certificates
OpenSSL Verify Peer (Client) Certificate in C++
Error while creating self-signed SSL certificate
Invalid CA certificate with self signed certificate chain
How can the SSL client validate the server's certificate?
SSL certificate not accepted
How to create an OpenSSL Self-Signed Certificate using SAN?