I recently had to inspect the SSL certificate of an e-mail provider (secure POP connection) . Here is a quick HOWTO using the Google Mail website as an example.
Issue this command on a box with openssl:
openssl s_client -connect mail.google.com:443 > google
Then cancel the command with CTRL-C.
A base64 representation of the web site’s certificate will be included in the output you redirected to the google file:
To inspect the certificate with openssl, use this command:
openssl x509 -in google -text
Or convert it to a certificate in DER format and open it on a Windows box:
openssl x509 -in google -outform DER -out google.der
If you want to script this and avoid the ctrl-c action try this alternative invocation:
timeout –kill-after=10s 5s openssl s_client -connect example.com:443 > example
The timeout command is part of GNU coreutils so it should be available on any reasonably modern Linux distro.
Comment by Trey Darley — Tuesday 14 February 2012 @ 17:42
[…] one is pretty easy, and really straight forward (with the help of Didier Stevens’ quickpost) #crayon-4f6909091bb58 .crayon-plain { font-size: 12px !important; line-height: 16px !important; } […]
Pingback by Download & Install a SSL Cert into a Java keystore with keytool | put things down — Tuesday 20 March 2012 @ 22:47
@1: Redirecting /dev/null to stdin works just as well on posix systems, no need to involve gnuisms.
Comment by Henrik — Monday 13 May 2013 @ 13:03
Here’s a handy way to do this in ruby: http://findingscience.com/ruby/ssl/2013/01/13/reading-an-ssl-cert-in-ruby.html
Comment by Anonymous — Sunday 8 September 2013 @ 1:00
[…] One of my first quickposts, more than 10 years ago, was an howto: using openssl to retrieve the certificate of a web site. […]
Pingback by Quickpost: Retrieving an SSL Certificate with nmap | Didier Stevens — Sunday 19 May 2019 @ 8:28