How to Download SSL Certificate from Website Using OpenSSL and Command Line Tools


4 views

The most reliable method to retrieve an SSL certificate is using OpenSSL's built-in functionality:

openssl s_client -showcerts -connect www.google.com:443  google_cert.pem

This command:

  • Establishes a connection to the server
  • Shows all certificates in the chain
  • Outputs in PEM format (base64 encoded)
  • Saves to google_cert.pem file

For quick certificate inspection without saving to file:

curl -vI https://www.google.com 2>&1 | awk '/^*/ {print} /^

To extract just the certificate:


openssl s_client -connect www.google.com:443 2>/dev/null  google.pem



To get the full certificate chain:


openssl s_client -showcerts -verify 5 -connect www.google.com:443 out}' 



This creates separate files (cert1.pem, cert2.pem, etc.) for each certificate in the chain.


For automation across multiple sites:


#!/bin/bash
domains=("google.com" "github.com" "stackoverflow.com")

for domain in "${domains[@]}"; do
    echo "Fetching cert for $domain"
    openssl s_client -showcerts -connect "$domain:443" /dev/null | \
    sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > "${domain}_cert.pem"
done



Always verify the downloaded certificate matches what the browser sees:


openssl x509 -in google_cert.pem -text -noout | grep -E "Subject:|Issuer:|Not After:"



Common format conversions:


# PEM to DER
openssl x509 -in google_cert.pem -outform der -out google_cert.der

# DER to PEM
openssl x509 -inform der -in google_cert.der -out google_cert.pem

# View certificate info
openssl x509 -in google_cert.pem -text -noout





When working with web security or debugging HTTPS connections, you might need to download a website's SSL certificate for inspection or testing. This can be done using common command-line tools like openssl or wget. Below, I'll show you several methods to achieve this.


The most straightforward way to fetch an SSL certificate is using the openssl command. Here's how:


openssl s_client -connect www.google.com:443 -showcerts < /dev/null | openssl x509 -outform PEM > google_cert.pem


This command:


    

  • Connects to www.google.com on port 443 (HTTPS)
    • 

  • Extracts the certificate chain
    • 

  • Saves the first certificate in PEM format to google_cert.pem
    • 



If you prefer curl, you can extract the certificate like this:


openssl s_client -connect www.google.com:443 -showcerts < /dev/null 2>/dev/null | sed -n '/BEGIN CERT/,/END CERT/p' > google_cert.pem


To get the entire certificate chain:


openssl s_client -connect www.google.com:443 -showcerts 2>/dev/null < /dev/null > full_chain.pem


After downloading, you can inspect the certificate details:


openssl x509 -in google_cert.pem -text -noout


For those who prefer Python, here's a script to fetch certificates:


import ssl
import socket
import pem

hostname = 'www.google.com'
context = ssl.create_default_context()

with socket.create_connection((hostname, 443)) as sock:
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
        cert = ssock.getpeercert(True)  # Returns DER format
        with open('google_cert.der', 'wb') as f:
            f.write(cert)


    

  • Debugging SSL/TLS connection issues
    • 

  • Setting up local testing environments
    • 

  • Analyzing certificate chains
    • 

  • Creating certificate pinning configurations
    • 



    

  • Some servers may use SNI (Server Name Indication) - add -servername www.google.com to OpenSSL commands if needed
    • 

  • For expired or self-signed certificates, use -verify 0 to bypass validation
    • 

  • Always verify certificates from untrusted sources
    •