OpenSSL CLI commands to fetch server certificates.
---
title: Use OpenSSL to get server certificate
author: Stack Overflow
date: January 1, 2012
source: https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
notoc: false
---
## With SNI
If the remote server is using SNI (that is, sharing multiple SSL hosts on a
single IP address) you will need to send the correct hostname in order to get
the right certificate.
```bash
openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null
```
If you get an error similar to `xxx:error:xxx:BIO routines:BIO_lookup_ex:system lib:crypto/bio/bio_addr.c:758:nodename nor servname provided, or not known connect:errno=0`,
execute the same command without `www` as the domain may not support it.
You may also get _Secure Renegotiation IS NOT supported_ behind a corporate
firewall in which case, a temporary (but dangerous) workaround is the
`-legacy_renegotiation` parameter that can be added to the above command.
## Without SNI
If the remote server is not using SNI, then you can skip `-servername` parameter:
```bash
openssl s_client -showcerts -connect www.example.com:443 </dev/null
```
To view the full details of a site's cert you can use this chain of commands as well:
```bash
echo | openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | openssl x509 -text
```
## Extra
A one-liner to extract the certificate from a remote server in PEM format,
this time using sed:
```bash
openssl s_client -connect www.google.com:443 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
```
The easiest command line for this, which includes the PEM output to add it to
the key-store, as well as a human readable output and also supports SNI, which
is important if you are working with an HTTP server is:
```bash
openssl s_client -servername example.com -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -text
```