Get SSL Certificate from Server (Site URL) – Export & Download

Someday you may need to get the SSL certificate of a website and save it locally.

For example, you could get an error saying that you can’t clone a Git repository due to a self-signed certificate and to resolve this issue you would need to download the SSL certificate and make it trusted by your Git client.

In the following article i am showing how to export the SSL certificate from a server (site URL) using Google Chrome, Mozilla Firefox and Internet Explorer browsers as well as how to get SSL certificate from the command line, using openssl command.

Cool Tip: Create a self-signed SSL Certificate! Read more →

Export SSL Certificate

Google Chrome

Export the SSL certificate of a website using Google Chrome:

  1. Click the Secure button (a padlock) in an address bar
  2. Click the Show certificate button
  3. Go to the Details tab
  4. Click the Export button
  5. Specify the name of the file you want to save the SSL certificate to, keep the “Base64-encoded ASCII, single certificate” format and click the Save button

Mozilla Firefox

Export the SSL certificate of a website using Mozilla Firefox:

  1. Click the Site Identity button (a padlock) in an address bar
  2. Click the Show connection details arrow
  3. Click the More Information button
  4. Click the View Certificate button
  5. Go to the Details tab
  6. Click the Export button
  7. Specify the name of the file you want to save the SSL certificate to, keep the “X.509 Certificate (PEM)” format and click the Save button

Cool Tip: Check the expiration date of the SSL Certificate from the Linux command line! The fastest way! Read more →

Internet Explorer

Download and save the SSL certificate of a website using Internet Explorer:

  1. Click the Security report button (a padlock) in an address bar
  2. Click the View Certificate button
  3. Go to the Details tab
  4. Click the Copy to File... button
  5. Click the Next button
  6. Select the “Base-64 encoded X.509 (.CER)” format and click the Next button
  7. Specify the name of the file you want to save the SSL certificate to
  8. Click the Next and the Finish buttons

OpenSSL

Get the SSL certificate of a website using openssl command:

$ echo | openssl s_client -servername NAME -connect HOST:PORT |\
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt

Short explanation:

Option Description
-connect HOST:PORT The host and port to connect to
-servername NAME The TLS SNI (Server Name Indication) extension (website)
certificate.crt Save SSL certificate to this file

Example:

$ echo | openssl s_client -servername google.com -connect google.com:443 |\
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt
Was it useful? Share this post with the world!

13 Replies to “Get SSL Certificate from Server (Site URL) – Export & Download”

  1. I’m a bit confused. Not only is Base64 not the default, but also, while some sources agree that Base64 is to be used, other sources advise to use DER instead. If I export and install both formats, will Java automatically pick the correct one over the broken one?

    1. As always, it depends on your Java and its current conventions.

      I guess I’m just here to remind that either way it’s likely good to plan for something more robust to keep things from breaking.

  2. Very useful

  3. EHX, yes Base64 is not the default and the guide is not updated (Chrome) I solved by just saving the certificate (checking the Base64 option) to an existing local file, then used it in my certificate-pinning implementation (Android and Kotlin but the concept is the same in Java)

  4. In chrome on a mac, there is no longer an option to export the certificate. However, you may drag it to a finder window.

  5. If I use $ echo | openssl s_client -servername google.com -connect google.com:443 |\
    sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > certificate.crt
    In osx high Sierra I got “sed command not found”. Although Im pretty sure I have it installed, as if I run just “sed” it is listed there.

    1. were u able to fix it?>

  6. old: …:443 |\ sed …
    new: …:443 | sed …

    new error:
    “verify error:num=20:unable to get local issuer certificate”

  7. I can’t use google search in ANY browser and i tried almost every possible “solution” in the internet…
    This is the problem…

    NET::ERR_CERT_COMMON_NAME_INVALID
    Subject: www.google.com.pe
    Issuer: DigiCert Global Root G1A
    Expires on: 1 ene. 2031
    Current date: 13 feb. 2021
    PEM encoded chain:
    -----BEGIN CERTIFICATE-----
    MIIDfjCCAmagAwIBAgIQVfsZBcz0XbdO98HCgd+hbzANBgkqhkiG9w0BAQsFADAj
    MSEwHwYDVQQDDBhEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMUEwHhcNMjAwMTAxMTc0
    MzMyWhcNMzEwMTAxMTQ0MzMyWjAcMRowGAYDVQQDDBF3d3cuZ29vZ2xlLmNvbS5w
    ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJkzpf1hd6snJ3A0YLkR
    6NSEWNox3nubLRXiHxRwVpccFFfDb3hfbqCAlAt1rgzRuGKQW3+B/7QUydH+j7/i
    JoQDpbueTcIOPcpF7MMlzfdkiX42Zrg+WKUgK8kGoJFTxSGX1rCVTz+AYjv8B3FB
    /CGY1yT8/dUnVujRVjozNyxVaOlh9h/zQMaL/zt4I5XRYPa+pYbRKubeWfilz+DF
    kfBc434h4piBj5YvczLWj11TlGHVax6ReBNbu+pY6W0/cglw/afXrXbozmqjCNGn
    j5FKbzNKbzroruAbiOadjsDSkgkbiQKdV2Kc4YZ0MZMJiT0dUYs8AeAqK5b7qRiv
    H50CAwEAAaOBtDCBsTATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA
    MA4GA1UdDwEB/wQEAwIFoDA8BgNVHREENTAzghF3d3cuZ29vZ2xlLmNvbS5wZYIP
    Ki5nb29nbGUuY29tLnBlgg1nb29nbGUuY29tLnBlMB8GA1UdIwQYMBaAFM0xzOHl
    AcRR4Cl+gxYkiZ4H8QwHMB0GA1UdDgQWBBQF1byrgMTFWfwwRlfvraTbhC0PcjAN
    BgkqhkiG9w0BAQsFAAOCAQEA6zs7TfhMkBQb74A5ExeQNRE/kO0hA0FLpQAAIAsI
    15wIqdHU7JAes52BRaMivc/WLAB61ixNKVm+02hPgRZql/cqXl+sWbWkDs4iskNP
    49gfHrHuNHXHum/iYr3SpZ03EFjmF1zwu/DQJt+uWAaSAGVe+FNzRFvVSMqQ10VH
    Fs5XM2J4dAAZkj1f+XZMY1lw9yd8NaQhJA+Z3gaeEvAJ0DfvRZB+nWOANmyyU0yG
    +jm0gtcqUaMAshFz+UE51Hj57YHZ7C/iS5Kuij+KZJr4VG2yjxrKpsKw67TXxRKF
    aUUR3znfUW9UldozGcw0qhxkzepDgIT85ckr+tBP9KgEXg==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDEjCCAfqgAwIBAgIQWL05hRyt7LxL1Qz6kS+GczANBgkqhkiG9w0BAQsFADAj
    MSEwHwYDVQQDDBhEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMUEwHhcNMTkxMTE5MDk1
    NjQxWhcNMzAxMTE5MDY1NjQxWjAjMSEwHwYDVQQDDBhEaWdpQ2VydCBHbG9iYWwg
    Um9vdCBHMUEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDsP0YG+PXQ
    KMgAexkWGzhnJadzG3UinjmAzRlO5UEaoRRI1gyQR7fiGH3KZLQbg4/W6iom4B9v
    h8Xp0zBMk7issPheCgXclz3gwWSOPfuc0UzmhwoYlYqhThb5dBP7f1uqqxfiR6bn
    xLb2IgjSt/tFXzBACRwgeDbaIt7BwK/ckD3dI92KKGAPFzAM332A6rzO0viH31Cj
    S0Cmzq9HShle0Wf1a5vR1F9anYLcVUAEdTmDi6MQ5zaUzsdtrKa6rc6JEsNXyMY5
    rIxUOxxEZxwH0nI3rcpruYEsmuy5BdUT8IWkZTntbPpsVmADHAgmkeLcuq0N1DmG
    wryKc44IgkyZAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
    AgGGMB0GA1UdDgQWBBTNMczh5QHEUeApfoMWJImeB/EMBzANBgkqhkiG9w0BAQsF
    AAOCAQEAFT0sIlhqhf7DVPne1VCcw2mtqH9PPGjhyhFadSpB5b7SFIqmExafW5f6
    worC4DC4qWth2zfswSqIVbF8XesjhTJ10/ObKmUjA8ppa7UK2TBmPf9JKwnEXj1P
    I/meXlWCH/9riZNUrI0cAjstdUwHMg4BCj9NArbeb36BlNoPpon77Gii+4jLxjqE
    u1AH3eLZaW9eDQdSROVj8ceUThJ4uPjB7TQG81uCS7Pa/SFC5AFdK9Ku/Icz8HIB
    x5ENDz3OjWkBNIUwwJHIgFJrsj9xB7QiWALM/sjxuO6cHYIiIb17U1rZCMKJSNHJ
    mDtl77BKIr4Df52ko+enpKg6c1SHTw==
    -----END CERTIFICATE-----

    I know the problem is the certificate, any ideas?

    1. Hello, the solution for you is:
      echo | openssl s_client -connect MyServer.Mydomain.com:443 | openssl x509 -keyform DER -out MyServer.Mydomain.com.crt

  8. Thx! This is very useful. But downloading via browser is a bit confusing. The UI might have changed since the time of this writing. So i just use the shell command.

  9. Hi. im using SSL LABS online tool for get the pin of leaft certificate but seems expires every 6 months.
    i dont want to update the android app.
    is there a way to not update every 6 months?
    im little confusion that i must use linux for that.

  10. Awesome tutorial for beginners. Helped me.

Leave a Reply