How to Download Remote SSL Certificate Using OpenSSL and cURL Commands in Linux


1 views

When working with HTTPS servers, developers often need to inspect or save the SSL certificate for debugging, security analysis, or certificate chain verification. While browsers provide GUI methods for certificate export, automation requires command-line solutions.

The most reliable method is using OpenSSL's s_client command:

openssl s_client -connect example.com:443 -showcerts 2>/dev/null | \
openssl x509 -outform PEM > example_com.pem

This command:

  • Establishes SSL connection to port 443
  • Suppresses stderr output
  • Extracts certificate in PEM format
  • Saves to a file

For systems where OpenSSL isn't available, cURL can be used:

curl -sSv --head https://example.com 2>&1 | \
awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }' > cert.txt

Note that this shows certificate details but doesn't extract in standard format.

To get the complete certificate chain (including intermediates):

openssl s_client -connect example.com:443 -showcerts /dev/null | \
awk '/BEGIN CERT/{out="cert"++i".pem"}; {if(out) print > out}'

This creates separate files (cert1.pem, cert2.pem, etc.) for each certificate in the chain.

For bulk operations, create a shell script:

#!/bin/bash
domains=("example.com" "google.com" "github.com")
for domain in "${domains[@]}"; do
  openssl s_client -connect $domain:443 -showcerts 2>/dev/null | \
  openssl x509 -outform PEM > "${domain}_cert.pem"
done

After saving, verify the certificate:

openssl x509 -in example_com.pem -text -noout

This displays all certificate details including issuer, validity period, and subject.

These methods provide flexible ways to retrieve SSL certificates for security testing, monitoring, or debugging purposes. The OpenSSL approach is most robust for production use.

When automating security checks or debugging TLS connections, you often need to programmatically retrieve SSL certificates from remote servers. Here are several robust methods using standard Linux tools:

The most reliable approach using OpenSSL:

openssl s_client -showcerts -connect example.com:443 /dev/null | \
openssl x509 -outform PEM > certificate.pem

For multiple certificates in the chain:

openssl s_client -showcerts -connect example.com:443  fullchain.pem

Curl can output verbose SSL information including the certificate:

curl -sv https://example.com --output /dev/null 2> curl_output.txt && \
awk '/^* SSL connection/,/^* Server certificate:/' curl_output.txt

For PEM format:

curl -sIv https://example.com 2>&1 | \
awk 'BEGIN { cert=0 } /^* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'

For systems with GNUTLS installed:

gnutls-cli --print-cert example.com  cert.pem

Convert between formats using OpenSSL:

# PEM to DER
openssl x509 -in certificate.pem -outform der -out certificate.der

# DER to PEM
openssl x509 -inform der -in certificate.der -out certificate.pem

Always validate downloaded certificates:

openssl x509 -in certificate.pem -text -noout

Check validity period:

openssl x509 -in certificate.pem -noout -dates

Bash script example for batch processing:

#!/bin/bash
domains=("example.com" "google.com" "github.com")

for domain in "${domains[@]}"; do
    echo "Processing ${domain}..."
    openssl s_client -showcerts -connect ${domain}:443 /dev/null | \
    openssl x509 -outform PEM > ${domain//./_}.pem
done