Someday you may need to get the SSL certificate of a website and save it locally.
For example, you could get an error saying that you can’t clone a Git repository due to a self-signed certificate and to resolve this issue you would need to download the SSL certificate and make it trusted by your Git client.
In the following article i am showing how to export the SSL certificate from a server (site URL) using Google Chrome, Mozilla Firefox and Internet Explorer browsers as well as how to get SSL certificate from the command line, using openssl
command.
Cool Tip: Create a self-signed SSL Certificate! Read more →
Export SSL Certificate
Google Chrome
Export the SSL certificate of a website using Google Chrome:
- Click the
Secure
button (a padlock) in an address bar - Click the
Show certificate
button - Go to the
Details
tab - Click the
Export
button - Specify the name of the file you want to save the SSL certificate to, keep the “Base64-encoded ASCII, single certificate” format and click the
Save
button
Mozilla Firefox
Export the SSL certificate of a website using Mozilla Firefox:
- Click the
Site Identity
button (a padlock) in an address bar - Click the
Show connection details
arrow - Click the
More Information
button - Click the
View Certificate
button - Go to the
Details
tab - Click the
Export
button - Specify the name of the file you want to save the SSL certificate to, keep the “X.509 Certificate (PEM)” format and click the
Save
button
Cool Tip: Check the expiration date of the SSL Certificate from the Linux command line! The fastest way! Read more →
Internet Explorer
Download and save the SSL certificate of a website using Internet Explorer:
- Click the
Security report
button (a padlock) in an address bar - Click the
View Certificate
button - Go to the
Details
tab - Click the
Copy to File...
button - Click the
Next
button - Select the “Base-64 encoded X.509 (.CER)” format and click the
Next
button - Specify the name of the file you want to save the SSL certificate to
- Click the
Next
and theFinish
buttons
OpenSSL
Get the SSL certificate of a website using openssl
command:
$ echo | openssl s_client -servername NAME -connect HOST:PORT |\ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt
Short explanation:
Option | Description |
---|---|
-connect HOST:PORT |
The host and port to connect to |
-servername NAME |
The TLS SNI (Server Name Indication) extension (website) |
certificate.crt |
Save SSL certificate to this file |
Example:
$ echo | openssl s_client -servername google.com -connect google.com:443 |\ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt
I’m a bit confused. Not only is Base64 not the default, but also, while some sources agree that Base64 is to be used, other sources advise to use DER instead. If I export and install both formats, will Java automatically pick the correct one over the broken one?
As always, it depends on your Java and its current conventions.
I guess I’m just here to remind that either way it’s likely good to plan for something more robust to keep things from breaking.
Very useful
EHX, yes Base64 is not the default and the guide is not updated (Chrome) I solved by just saving the certificate (checking the Base64 option) to an existing local file, then used it in my certificate-pinning implementation (Android and Kotlin but the concept is the same in Java)
In chrome on a mac, there is no longer an option to export the certificate. However, you may drag it to a finder window.
If I use $ echo | openssl s_client -servername google.com -connect google.com:443 |\
sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > certificate.crt
In osx high Sierra I got “sed command not found”. Although Im pretty sure I have it installed, as if I run just “sed” it is listed there.
were u able to fix it?>
old: …:443 |\ sed …
new: …:443 | sed …
new error:
“verify error:num=20:unable to get local issuer certificate”
I can’t use google search in ANY browser and i tried almost every possible “solution” in the internet…
This is the problem…
I know the problem is the certificate, any ideas?
Hello, the solution for you is:
echo | openssl s_client -connect MyServer.Mydomain.com:443 | openssl x509 -keyform DER -out MyServer.Mydomain.com.crt
Thx! This is very useful. But downloading via browser is a bit confusing. The UI might have changed since the time of this writing. So i just use the shell command.
Hi. im using SSL LABS online tool for get the pin of leaft certificate but seems expires every 6 months.
i dont want to update the android app.
is there a way to not update every 6 months?
im little confusion that i must use linux for that.
Awesome tutorial for beginners. Helped me.