Quick way to retrieve a chain of SSL certificates from a server

Avisi werknemer

Avisi werknemer

Published: 12 September, 2012

Sometimes I find the need to create a truststore in order to securely communicate with a remote party. The truststore needs to contain the complete certificate chain of the remote server. Now how do you obtain this chain? You might try fiddling with your web browser in order to download the various certificates. Well actually, there's an easier solution.

Assuming you have OpenSSL installed (default available on Mac OS X and Linux systems) have a look at the s_client command:

openssl s_client -host google.com -port 443 -prexit -showcerts

The above command prints the complete certificate chain of google.com to stdout. Now you'll just have to copy each certificate to a separate PEM file (e.g. googleca.pem). Finally you can import each certificate in your (Java) truststore. To import one certificate:

keytool -import -alias gca -file googleca.pem -keystore trust.jks

Hopefully the s_client trick saves you some time when obtaining x509 server certificates.

Related blogs

Did you enjoy reading?

Share this blog with your audience!