With the openssl command line utility, you can easily get the certificate of a server to which you don’t have filesystem access.
openssl s_client -showcerts -connect some_server:server_port
Where server_port is usually 443. The certificate of the server is everything between (and including) the first pair of
-----BEGIN CERTIFICATE----and
-----END CERTIFICATE-----lines.
The remaining certificates that openssl will dump are from the certificate issuers in the certification chain. The last one will eventually be a self signed certificate of a root Certification Authority (CA).
What useful is the certificate we got?
Well, sometime ago at my workplace, I was writing some Java code that fetched some XML from a local server through HTTPS. The certificate of this server was self signed and my Java code was throwing an Exception complaining that the SSL handshake failed. This was because the certificate was not in the JRE’s trusted certificates keystore. In case the certificate was not self signed, the same would happen unless the certificate of some issuer in the certification chain was found in the keystore.
I had two choices:
- Change the code to ignore certification validation
- Add the server’s certificate to the keystore
The former one involved too much extra code.
Adding the certificate to the JRE keystore:
keytool -keystore /etc/java-6-sun/security/cacerts -import -file file_with_certificate -alias some_server_or_whatever
Notes:
- default password for the JRE keystore is changeit
- the keystore path may be different in distributions other than Debian GNU/Linux
