Obtain the SSL certificate for a website or from the browser

jonnyseymour · ‎06-16-2016

Trying to integrate with a server using SSL, but your software does not have direct access to download the certificates? You may have to download a public certificate manually, first. If you are faced with the task of downloading a SSL certificate from a website (e.g. to install them on a local java keystore, or the local proxies, etc), there are several recommendations I have tested to help you out with this task. You may have to perform the same task regularly as certificates gets rotated more often and the certificates expire sooner. As a result certificates are revoked more often. To avoid having to perform a manual certificate update, consider implementing a workflow to retrieve the latest certificate to accommodate the change.

What is the benefit of rotating SSL certificates so frequently? In an age of security awareness and advance hacking, one BIG advantage is removing the need for revocation in the event of a compromise (e.g. POODLE). The typical way to do this is publishing a certificate revocation list (CRL) or using the OSCP protocol in the event of a compromise to revoke certificates. However, the CRL or OSCP check is incredibly easy to bypass. Short lived certificates have the advantage that in the event of a compromise, the compromised certificate will only work for a very limited period of time until the certificate expires; therefore, limiting the damage that can be caused.

Downloading the SSL certificate from a website (Method 1)

The simplest way is to download the certificate using a third party reputable site. In this example, I will download the public SSL certificates of community.servicenow.com. You can use it as an example to download the public certificate of your instance and relevant authorization chains (additional certificates) if needed.

Visit SSLlabs
Navigate to the required certificates
Download the relevant certificates

download certificate.jpg

Please also note it shows when it will expire as the "Valid until" date.

Once downloaded, the certificate should look something like this:

-----BEGIN CERTIFICATE-----

MIIFlTCCBH2gAwIBAgINANijXlAAAAAAUNYdwTANBgkqhkiG9w0BAQsFADCBujELMAkGA1UEBhMC

VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQv

bGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9y

aXplZCB1c2Ugb25seTEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAt

IEwxSzAeFw0xNTExMTkxNDU2NDFaFw0xNzExMTkxNTI2MzlaMG4xCzAJBgNVBAYTAlVTMRMwEQYD

VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gRGllZ28xEzARBgNVBAoTClNlcnZpY2VOb3cx

ITAfBgNVBAMTGGNvbW11bml0eS5zZXJ2aWNlbm93LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP

ADCCAQoCggEBAOSbl6pbq/hlpj7P+t/PtgtinhNWkqgOZNCoM+LgFh/ROxk3TcHf6GqC6AEhtowE

qaeqXA2k6r0bM4jQ2F0D23bC4y78OSVWDGZqXemiBuSXhQ3pxtl2SVbPbaNWn19ZxQVzWvAKSzC/

eHkTXB7IbnfUZCpdzWupa9ALttfYsvsNHlKs0OfczM80pFLp4g/Xj2l9sYIXbH5g0ZUjLForyoQQ

g6DEA4P9VeGf3JOCgepDTbQ6PGQBVhBY6kghpLBuJIwHQkRtgaCmDYHPmHLYimjBQpwroxzXa5xi

1y0F0bvyrYVKJfcuhv/9ZnJi3yedB1VMmJ+gKBJr5hWu51Ypk2kCAwEAAaOCAeMwggHfMAsGA1Ud

DwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js

LmVudHJ1c3QubmV0L2xldmVsMWsuY3JsMEsGA1UdIAREMEIwNgYKYIZIAYb6bAoBBTAoMCYGCCsG

AQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAIBgZngQwBAgIwaAYIKwYBBQUHAQEE

XDBaMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBggrBgEFBQcwAoYnaHR0

cDovL2FpYS5lbnRydXN0Lm5ldC9sMWstY2hhaW4yNTYuY2VyMIGDBgNVHREEfDB6gh1hcHBzLmNv

bW11bml0eS5zZXJ2aWNlbm93LmNvbYIcdWF0LmNvbW11bml0eS5zZXJ2aWNlbm93LmNvbYIhYXBw

cy51YXQuY29tbXVuaXR5LnNlcnZpY2Vub3cuY29tghhjb21tdW5pdHkuc2VydmljZW5vdy5jb20w

HwYDVR0jBBgwFoAUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHQYDVR0OBBYEFCzHYp6ZRCP6OBy1wtsJ

+aLI7fivMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAGOkH8a6znCOevWyXhmKwkZ4Po0v

UiY3ngwTdnzkfJtteSWyvG3JZNvjWnFiTUAzwzkqLGafOJoVg/FKYsP3KCiR0+dehBMBbMf7hkrg

dl93RaD5vQ3Vy3dLboFWCL7O3Ion0ANXlk2lM4Hi+dgjvlNdgqcRxEI+ahHotkpie60XxqBF3JA9

nYSRafd435WpbPK1n68GJuAHDt/PQK0oFDCCj+/E5qBWWbmpw67PbjbZP7D2tkt4fYgYiVWh0gYF

e/JpU8SdFmaG7FsKKr8rFtJVr0Xa7Qq/zaGQiWSM9nedu1iG2sBubNUzxgMBbGfihDAYe1j0colc

/+JPw3Zn0cc=

-----END CERTIFICATE-----

Downloading a SSL Certificate using openSSL (Method 2)

I used openssl for Windows; however, similarly it can apply to Linux. In my example, I downloaded the public SSL certificates of community.servicenow.com.

On Linux/Unix use:

CMD> openssl s_client -connect community.servicenow.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

On Windows use:

CMD> openssl s_client -connect community.servicenow.com:443 < NUL | openssl x509 -outform PEM >mycertfile.pem

That will export the certificates in one file.

ssl certificate export file.jpg

Here is the certificate I created:

-----BEGIN CERTIFICATE-----

MIIFlTCCBH2gAwIBAgINANijXlAAAAAAUNYdwTANBgkqhkiG9w0BAQsFADCBujEL

MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1Nl

ZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEy

IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwGA1UE

AxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0xNTEx

MTkxNDU2NDFaFw0xNzExMTkxNTI2MzlaMG4xCzAJBgNVBAYTAlVTMRMwEQYDVQQI

EwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gRGllZ28xEzARBgNVBAoTClNlcnZp

Y2VOb3cxITAfBgNVBAMTGGNvbW11bml0eS5zZXJ2aWNlbm93LmNvbTCCASIwDQYJ

KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSbl6pbq/hlpj7P+t/PtgtinhNWkqgO

ZNCoM+LgFh/ROxk3TcHf6GqC6AEhtowEqaeqXA2k6r0bM4jQ2F0D23bC4y78OSVW

DGZqXemiBuSXhQ3pxtl2SVbPbaNWn19ZxQVzWvAKSzC/eHkTXB7IbnfUZCpdzWup

a9ALttfYsvsNHlKs0OfczM80pFLp4g/Xj2l9sYIXbH5g0ZUjLForyoQQg6DEA4P9

VeGf3JOCgepDTbQ6PGQBVhBY6kghpLBuJIwHQkRtgaCmDYHPmHLYimjBQpwroxzX

a5xi1y0F0bvyrYVKJfcuhv/9ZnJi3yedB1VMmJ+gKBJr5hWu51Ypk2kCAwEAAaOC

AeMwggHfMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAzBgNVHR8E

LDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xldmVsMWsuY3JsMEsG

A1UdIAREMEIwNgYKYIZIAYb6bAoBBTAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3

LmVudHJ1c3QubmV0L3JwYTAIBgZngQwBAgIwaAYIKwYBBQUHAQEEXDBaMCMGCCsG

AQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBggrBgEFBQcwAoYnaHR0

cDovL2FpYS5lbnRydXN0Lm5ldC9sMWstY2hhaW4yNTYuY2VyMIGDBgNVHREEfDB6

gh1hcHBzLmNvbW11bml0eS5zZXJ2aWNlbm93LmNvbYIcdWF0LmNvbW11bml0eS5z

ZXJ2aWNlbm93LmNvbYIhYXBwcy51YXQuY29tbXVuaXR5LnNlcnZpY2Vub3cuY29t

ghhjb21tdW5pdHkuc2VydmljZW5vdy5jb20wHwYDVR0jBBgwFoAUgqJwdN28Uz/P

e9T3zX+nYMYKTL8wHQYDVR0OBBYEFCzHYp6ZRCP6OBy1wtsJ+aLI7fivMAkGA1Ud

EwQCMAAwDQYJKoZIhvcNAQELBQADggEBAGOkH8a6znCOevWyXhmKwkZ4Po0vUiY3

ngwTdnzkfJtteSWyvG3JZNvjWnFiTUAzwzkqLGafOJoVg/FKYsP3KCiR0+dehBMB

bMf7hkrgdl93RaD5vQ3Vy3dLboFWCL7O3Ion0ANXlk2lM4Hi+dgjvlNdgqcRxEI+

ahHotkpie60XxqBF3JA9nYSRafd435WpbPK1n68GJuAHDt/PQK0oFDCCj+/E5qBW

Wbmpw67PbjbZP7D2tkt4fYgYiVWh0gYFe/JpU8SdFmaG7FsKKr8rFtJVr0Xa7Qq/

zaGQiWSM9nedu1iG2sBubNUzxgMBbGfihDAYe1j0colc/+JPw3Zn0cc=

-----END CERTIFICATE-----

To generate the fingerprint use:

CMD> openssl x509 -in mycertfile.pem -noout -sha1 -fingerprint

In my case it returned as:

> SHA1 Fingerprint=C3:96:4E:66:00:7E:96:1C:49:B0:A8:ED:B3:67:4D:98:EC:D7:FC:01

command line fingerprint ssl certificate.jpg

Checking SSL certificates on the browser (Method 2)

Every browser can check certificates for their authenticity and validity. You can also check certificates manually by comparing the browser fingerprints "SHA1 Fingerprint," with the fingerprint we provide or you generated from the certificate downloaded.

view certificate browser.jpg

Downloading a SSL Certificate from the browser (Method 3)

You can also download the certificates using a browser. Here is an example of downloading a certificate from a Firefox browser:

details certificate browser.jpg

Please note that the browsers use their own SSL implementation (different from openssl) and may produce certificates that look different. Though they appear different, their fingerprints will be the same.

After exporting the certificate from Firefox, this is what it produced: