Posted by: fdmanana | July 1, 2008

Getting a server’s certificate with openssl

With the openssl command line utility, you can easily get the certificate of a server to which you don’t have filesystem access.

openssl s_client -showcerts 
           -connect some_server:server_port

Where server_port is usually 443. The certificate of the server is everything between (and including) the first pair of





The remaining certificates that openssl will dump are from the certificate issuers in the certification chain. The last one will eventually be a self signed certificate of a root Certification Authority (CA).

What useful is the certificate we got?

Well, sometime ago at my workplace, I was writing some Java code that fetched some XML from a local server through HTTPS. The certificate of this server was self signed and my Java code was throwing an Exception complaining that the SSL handshake failed. This was because the certificate was not in the JRE’s trusted certificates keystore. In case the certificate was not self signed, the same would happen unless the certificate of some issuer in the certification chain was found in the keystore.

I had two choices:

  1. Change the code to ignore certification validation
  2. Add the server’s certificate to the keystore

The former one involved too much extra code.

Adding the certificate to the JRE keystore:

keytool -keystore /etc/java-6-sun/security/cacerts 
           -import -file file_with_certificate 
           -alias some_server_or_whatever 


  • default password for the JRE keystore is changeit
  • the keystore path may be different in distributions other than Debian GNU/Linux

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: