Skip to main content

OpenSSL CLI commands to fetch server certificates.

title: Use OpenSSL to get server certificate
author: Stack Overflow
date: January 1, 2012
notoc: false

## With SNI

If the remote server is using SNI (that is, sharing multiple SSL hosts on a
single IP address) you will need to send the correct hostname in order to get
the right certificate.

openssl s_client -showcerts -servername -connect </dev/null

If you get an error similar to `xxx:error:xxx:BIO routines:BIO_lookup_ex:system lib:crypto/bio/bio_addr.c:758:nodename nor servname provided, or not known connect:errno=0`,
execute the same command without `www` as the domain may not support it.

You may also get _Secure Renegotiation IS NOT supported_ behind a corporate
firewall in which case, a temporary (but dangerous) workaround is the
`-legacy_renegotiation` parameter that can be added to the above command.

## Without SNI

If the remote server is not using SNI, then you can skip `-servername` parameter:

openssl s_client -showcerts -connect </dev/null

To view the full details of a site's cert you can use this chain of commands as well:

echo | openssl s_client -servername -connect 2>/dev/null | openssl x509 -text

## Extra

A one-liner to extract the certificate from a remote server in PEM format,
this time using sed:

openssl s_client -connect 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

The easiest command line for this, which includes the PEM output to add it to
the key-store, as well as a human readable output and also supports SNI, which
is important if you are working with an HTTP server is:

openssl s_client -servername -connect </dev/null 2>/dev/null | openssl x509 -text