Didier Stevens

Sunday 23 December 2007

Quickpost: Retrieving an SSL Certificate

Filed under: Encryption,Quickpost — Didier Stevens @ 9:37

I recently had to inspect the SSL certificate of an e-mail provider (secure POP connection) . Here is a quick HOWTO using the Google Mail website as an example.

Issue this command on a box with openssl:

openssl s_client -connect mail.google.com:443 > google

Then cancel the command with CTRL-C.

A base64 representation of the web site’s certificate will be included in the output you redirected to the google file:

20071223-openssl-output.png

To inspect the certificate with openssl, use this command:

openssl x509 -in google -text

20071223-openssl-text.png

Or convert it to a certificate in DER format and open it on a Windows box:

openssl x509 -in google -outform DER -out google.der

20071223-certificate.png

5 Comments »

  1. If you want to script this and avoid the ctrl-c action try this alternative invocation:

    timeout –kill-after=10s 5s openssl s_client -connect example.com:443 > example

    The timeout command is part of GNU coreutils so it should be available on any reasonably modern Linux distro.

    Comment by Trey Darley — Tuesday 14 February 2012 @ 17:42

  2. […] one is pretty easy, and really straight forward (with the help of Didier Stevens’ quickpost) #crayon-4f6909091bb58 .crayon-plain { font-size: 12px !important; line-height: 16px !important; } […]

    Pingback by Download & Install a SSL Cert into a Java keystore with keytool | put things down — Tuesday 20 March 2012 @ 22:47

  3. @1: Redirecting /dev/null to stdin works just as well on posix systems, no need to involve gnuisms.

    Comment by Henrik — Monday 13 May 2013 @ 13:03

  4. Here’s a handy way to do this in ruby: http://findingscience.com/ruby/ssl/2013/01/13/reading-an-ssl-cert-in-ruby.html

    Comment by Anonymous — Sunday 8 September 2013 @ 1:00

  5. […] One of my first quickposts, more than 10 years ago, was an howto: using openssl to retrieve the certificate of a web site. […]

    Pingback by Quickpost: Retrieving an SSL Certificate with nmap | Didier Stevens — Sunday 19 May 2019 @ 8:28


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.