Retrieve an SSL Certificate from a Server With OpenSSL

Security Shield

I was setting up VMware vRealize Automation’s Active Directory connections the other day and I needed the public SSL certificate for the AD DCs to authenticate correctly. You can use OpenSSL to get that information.

I used a Linux shell but this should be do-able from a Mac or with OpenSSL installed on Windows, too.

If you wanted to read the SSL certificates off this blog you could issue the following command, all on one line:

openssl s_client -showcerts -servername lonesysadmin.net -connect lonesysadmin.net:443 < /dev/null

In this case you’ll get a whole bunch of stuff back:

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = lonesysadmin.net
verify return:1
Certificate chain
0 s:/CN=lonesysadmin.net
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFWDCCBECgAwIBAgISA/05rMV6H+0LKP7uo3EE2F5zMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODExMTIwNTEzMTBaFw0x
OTAyMTAwNTEzMTBaMBsxGTAXBgNVBAMTEGxvbmVzeXNhZG1pbi5uZXQwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC22CK5EPHggy7q6qgqiYObGumi4b6X
DV/xKXauS5P2w2zjUFnHO01KRPDQ2owrc4opNRbngqanBI6llWTlBTrMCJSCa8sQ
uE6PEp7Hs94y1xHKKWQ+Lkk8ha99E50plAAU0CY3M7qqJ5Js5Q6L+MZ94H7/4Vvr
c0Ojiu6iXug5YmeNteqE3gzJvQcNoEk8js4HUUuH1FJNm1dLtKFY1/NCut6M39zC
1QOh7YfuGj/DgZD0le24SlBFYgv/2kDwVdPesIktyuV0aPZ+gihLFAjQotCvfhZ1
lQ8/+n9gFlG0vpjVdv8ZurixeyUykVk/Xq9HZLPwaDCubJ2NT+tZoqyXAgMBAAGj
ggJlMIICYTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFMnifCC04NozOYpDuRzN16P
+WuOMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEB
BGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wGwYDVR0RBBQwEoIQbG9uZXN5c2FkbWluLm5ldDBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AHR+2oMx
rTMQkSGcziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABZwaNaRwAAAQDAEgwRgIhAOWY
Xz2ucXa1Src4Ec6cBR6C6TNttfkGGR9mzTGM/SvZAiEA+EgD4cX9Wl+fqctk3iB8
ho/efgo3Urh9BPPQYefb4zQAdQApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTl
RUf0eAAAAWcGjWrZAAAEAwBGMEQCIGmIhmJ1x68Z0s32ZTTv6NBD1pzRaSTo92t8
mybQWsnsAiAg+R3O4ruTA/ao1OZfjlg5GG8/+9Z6qtTGLF0bK+cyDTANBgkqhkiG
9w0BAQsFAAOCAQEASsi4FWVLjkLG04BgtnPWyxWoPTFY16MDTLpat6Clf9oQTjb4
KcpNn9tYlLyv9NWNYnQiD351IvDAoPG1Lk4iGdQlo1kFNlrjyozZlQGax7g1XuXX
9OasSVK5aJtIGStR7J2NQsgbLgbY9AajC9BWE7lCPE9AsRIDj96nN3DgbL8hng3d
2G2CBUEYC9+FqnhpqNUXuogLNr9SUm6AODLsRMGoQ0lXwLmjrb++tKuEn55SlHHF
GvDHKB/qCfjLFpByk05J49v2qDBJcxmOkyTHyi9TnDBplWDRCHO99J6qgMorWma3
UavqxAHS6Q3h/kjsjDhBo90o2fDr+gKKRBiTmA==
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
Server certificate
subject=/CN=lonesysadmin.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
SSL handshake has read 3260 bytes and written 398 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3B67BD8D78293E6C2CD87E192316DF2B0DD5B8D8D3E0209DD2A2F2CBE0D8298C
Session-ID-ctx:
Master-Key: BA7C4F7737DA489457285514FA66E935EAD13D4D8DAADA7577917A9B4564120759535FCF76C6616CC96108C375DA015A
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 9b 60 9e 06 36 26 95 27-0a b5 3e ba e2 9f e2 5c ...6&.'..>....\ 0010 - 71 f1 c4 12 2f 73 60 5e-ed 3b 19 fd af 48 51 4d q.../s^.;…HQM
0020 - 85 47 93 5b b4 83 45 ef-04 15 ba 59 85 96 eb c1 .G.[..E….Y….
0030 - 70 da e2 6f c4 f5 99 b5-ed c0 c2 6b 67 73 85 4e p..o…….kgs.N
0040 - 3e f1 6f e2 3c 5c f9 1f-e9 d3 8b c1 96 53 ea b2 >.o.<.……S..
0050 - dd a8 e9 0e 20 5c a5 de-c9 80 cc c6 35 62 c1 51 …. .…..5b.Q
0060 - c0 64 b3 2f ca eb 15 97-2a cd ef 51 8e 5f 21 32 .d./….*..Q.!2 0070 - 4b d9 f9 2e ba ec b1 e5-06 cb dc 57 ab 1d 23 28 K……….W..#( 0080 - 76 41 9c 79 e4 05 23 68-c4 2c 0c f1 46 df 55 01 vA.y..#h.,..F.U. 0090 - 0e 68 d8 83 53 e1 8d 02-18 d4 b0 3d fc a6 03 9a .h..S……=…. 00a0 - 2c 68 88 79 91 4b c9 ba-47 40 b4 aa d3 fb 17 e5 ,h.y.K..G@…… 00b0 - d5 36 f2 45 10 70 dd c4-1e be 69 6a d0 88 e1 a7 .6.E.p….ij…. 00c0 - ac 5f df ef b1 e7 bc be-42 06 8f 8c f3 82 95 5c .……B……\
Start Time: 1543255454Timeout : 300 (sec)
Verify return code: 0 (ok)
DONE

Just prune out everything that isn’t between a “BEGIN CERTIFICATE” and “END CERTIFICATE” line:

-----BEGIN CERTIFICATE-----
MIIFWDCCBECgAwIBAgISA/05rMV6H+0LKP7uo3EE2F5zMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODExMTIwNTEzMTBaFw0x
OTAyMTAwNTEzMTBaMBsxGTAXBgNVBAMTEGxvbmVzeXNhZG1pbi5uZXQwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC22CK5EPHggy7q6qgqiYObGumi4b6X
DV/xKXauS5P2w2zjUFnHO01KRPDQ2owrc4opNRbngqanBI6llWTlBTrMCJSCa8sQ
uE6PEp7Hs94y1xHKKWQ+Lkk8ha99E50plAAU0CY3M7qqJ5Js5Q6L+MZ94H7/4Vvr
c0Ojiu6iXug5YmeNteqE3gzJvQcNoEk8js4HUUuH1FJNm1dLtKFY1/NCut6M39zC
1QOh7YfuGj/DgZD0le24SlBFYgv/2kDwVdPesIktyuV0aPZ+gihLFAjQotCvfhZ1
lQ8/+n9gFlG0vpjVdv8ZurixeyUykVk/Xq9HZLPwaDCubJ2NT+tZoqyXAgMBAAGj
ggJlMIICYTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFMnifCC04NozOYpDuRzN16P
+WuOMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEB
BGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wGwYDVR0RBBQwEoIQbG9uZXN5c2FkbWluLm5ldDBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AHR+2oMx
rTMQkSGcziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABZwaNaRwAAAQDAEgwRgIhAOWY
Xz2ucXa1Src4Ec6cBR6C6TNttfkGGR9mzTGM/SvZAiEA+EgD4cX9Wl+fqctk3iB8
ho/efgo3Urh9BPPQYefb4zQAdQApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTl
RUf0eAAAAWcGjWrZAAAEAwBGMEQCIGmIhmJ1x68Z0s32ZTTv6NBD1pzRaSTo92t8
mybQWsnsAiAg+R3O4ruTA/ao1OZfjlg5GG8/+9Z6qtTGLF0bK+cyDTANBgkqhkiG
9w0BAQsFAAOCAQEASsi4FWVLjkLG04BgtnPWyxWoPTFY16MDTLpat6Clf9oQTjb4
KcpNn9tYlLyv9NWNYnQiD351IvDAoPG1Lk4iGdQlo1kFNlrjyozZlQGax7g1XuXX
9OasSVK5aJtIGStR7J2NQsgbLgbY9AajC9BWE7lCPE9AsRIDj96nN3DgbL8hng3d
2G2CBUEYC9+FqnhpqNUXuogLNr9SUm6AODLsRMGoQ0lXwLmjrb++tKuEn55SlHHF
GvDHKB/qCfjLFpByk05J49v2qDBJcxmOkyTHyi9TnDBplWDRCHO99J6qgMorWma3
UavqxAHS6Q3h/kjsjDhBo90o2fDr+gKKRBiTmA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

And ta-dum! you can paste that into whatever needs it. Some stuff might need it in reversed order, so if it doesn’t work this way just rearrange it.

Don’t forget to use the correct hostnames and ports! If your AD DC is called dc-01.goatrodeo.org and the global catalog is on port 3269 it’d be:

openssl s_client -showcerts -servername dc-01.goatrodeo.org -connect dc-01.goatrodeo.org:3269 < /dev/null

Good luck!

2 comments… add one

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: