Skip to main content

OpenSSL CLI commands to fetch server certificates.

---
title: Use OpenSSL to get server certificate
author: Stack Overflow
date: January 1, 2012
source: https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
notoc: false
---

## With SNI

If the remote server is using SNI (that is, sharing multiple SSL hosts on a
single IP address) you will need to send the correct hostname in order to get
the right certificate.

```bash
openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null
```

If you get an error similar to `xxx:error:xxx:BIO routines:BIO_lookup_ex:system lib:crypto/bio/bio_addr.c:758:nodename nor servname provided, or not known connect:errno=0`,
execute the same command without `www` as the domain may not support it.

You may also get _Secure Renegotiation IS NOT supported_ behind a corporate
firewall in which case, a temporary (but dangerous) workaround is the
`-legacy_renegotiation` parameter that can be added to the above command.

## Without SNI

If the remote server is not using SNI, then you can skip `-servername` parameter:

```bash
openssl s_client -showcerts -connect www.example.com:443 </dev/null
```

To view the full details of a site's cert you can use this chain of commands as well:

```bash
echo | openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | openssl x509 -text
```

## Extra

A one-liner to extract the certificate from a remote server in PEM format,
this time using sed:

```bash
openssl s_client -connect www.google.com:443 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
```

The easiest command line for this, which includes the PEM output to add it to
the key-store, as well as a human readable output and also supports SNI, which
is important if you are working with an HTTP server is:

```bash
openssl s_client -servername example.com -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -text
```