Openssl: Extract root certificate from certificate chain?
Solution 1
openssl s_client
shows you only the certificate chain send by the client. This chain usually does not include the root certificate itself. Instead the root certificate is only contained in the local trust store and is not send by the server. As far as I know there is no builtin way to get the root certificate for a connection using the openssl command line.
Solution 2
It wouldn't make sense for the web server to send the root certificate and the browser should ignore it if it is sent (it MUST be in the local store). If it's an intermediate CA certificate then you'd retrieve it the way you're already using.
Related videos on Youtube
Mike Stan
Updated on September 18, 2022Comments
-
Mike Stan almost 2 years
I am fetching a certificate chain with
openssl s_client -showcerts -connect host.whatever:443 </dev/null
.In addition to that I would like to extract the root certificate form the chain programmatically in the format
-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----
Does anybody know of a functionality that is capable of that and already ships with OpenSSL?
-
Mike Stan almost 8 yearsSome chains also include the root certificate. I'll edit my question
-
Steffen Ullrich almost 8 years@MikeStan: yes, misconfigurations happen. Some servers send also certificates which do not belong at all to the chain and some send the wrong order. Apart from that it would be nice to not change the focus of the original question too much like you did (i.e. from root to x-th). If you want to just extract the x-th certificate this probably can be done with a small perl or python script, but its not included in the openssl command either.
-
Mike Stan almost 8 yearsKk, yeah you are right otherwise your answer wouldn't make sense anymore, got it. I changed it back. Thanks, I'll will look into that