[Cryptography-dev] How to retrieve the certificates
Kai Lu
kayne.lu at gmail.com
Wed Jul 1 16:34:51 CEST 2015
Hi Vladimir,
The following outputs are what I want:
openssl s_client -showcerts -connect www.google.com:443 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
*-----BEGIN CERTIFICATE-----*
*MIIEdjCCA16gAwIBAgIIGauXbnwTccIwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE*
*BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl*
*cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNjE4MDg1MjU2WhcNMTUwOTE2MDAwMDAw*
*WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN*
*TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3*
*Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKqVwD*
*tAdntIdi6/bTxyzrCWEHaqqr+DAs07w5OnAlLUTplLSsEoRQJApVVhXjDbgssVs8*
*xvaM8Y+7/MPsnyHuxMmk/C+LAuvOpcW4yVtOM+50kVz3Htb3fN7Q0RHqbMUNjAuM*
*tC+Kwbs+HqEsHTAxwWvcypvrSC2pGfz/gTy4723wi5EC+ekHKCft5ph8NOfvnOo7*
*E88xquN9lpU/710fhsUs7b8gSzlqIKpkNvIQR81ZnNCJ68ERw6XVrBcp9/8BnaXR*
*Gk7BW6jTTLGLp2CsEsLPxlJGiAKPNBprMa3ub219HSLchH7inf7y2Q2gSkjWPjMu*
*tkrU3qFY1Zybw7irAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI*
*KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE*
*XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0*
*MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G*
*A1UdDgQWBBQU2aHhkUAk8wPx0PpJZxFS5CBoVDAMBgNVHRMBAf8EAjAAMB8GA1Ud*
*IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW*
*eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB*
*RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBxXQdynpvBsOe3YVbZTSXfpJz9vBDB*
*LCE4wuKBZof2yZUU6JlAuJdYaJ1c1ulaVkRRXG+aWET9FepkPEBVIcKEFCaR24Uv*
*RWvcgMT02eAAyrs9D8010C670yA0q/rs6V0EMPzo6u7mKuj1jviRC7r5MgLmBDxW*
*rF6alaM7CdiLCopi84uR44cshfOtMz94jcZO3FLNuRZmq8alVuWyS3F2utiy+Ge3*
*GtcrbeFzD9uPLwgH0VkqW4pQjAFwqLkvmB/See/5j1gZPGpZpYW1KM0xnP8b4mo2*
*Misqw5uB5TqigipttTMAiA4IdJnOkV1EUmfzrEjRkkSVb0c7OZURHd45*
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
*-----BEGIN CERTIFICATE-----*
*MIID8DCCAtigAwIBAgIDAjp2MA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT*
*MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i*
*YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG*
*EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy*
*bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB*
*AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP*
*VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv*
*h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE*
*ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ*
*EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC*
*DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7*
*qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD*
*VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig*
*JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF*
*BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBcGA1UdIAQQ*
*MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQUFAAOCAQEAJ4zP6cc7vsBv6JaE*
*+5xcXZDkd9uLMmCbZdiFJrW6nx7eZE4fxsggWwmfq6ngCTRFomUlNz1/Wm8gzPn6*
*8R2PEAwCOsTJAXaWvpv5Fdg50cUDR3a4iowx1mDV5I/b+jzG1Zgo+ByPF5E0y8tS*
*etH7OiDk4Yax2BgPvtaHZI3FCiVCUe+yOLjgHdDh/Ob0r0a678C/xbQF9ZR1DP6i*
*vgK66oZb+TWzZvXFjYWhGiN3GhkXVBNgnwvhtJwoKvmuAjRtJZOcgqgXe/GFsNMP*
*WOH7sf6coaPo/ck/9Ndx3L2MpBngISMjVROPpBYCCX65r+7bU2S9cS+5Oc4wt7S8*
*VOBHBw==*
*-----END CERTIFICATE-----*
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
*-----BEGIN CERTIFICATE-----*
*MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT*
*MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0*
*aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw*
*WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE*
*AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB*
*CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m*
*OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu*
*T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c*
*JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR*
*Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz*
*PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm*
*aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM*
*TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g*
*LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO*
*BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv*
*dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB*
*AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL*
*NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W*
*b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S*
*-----END CERTIFICATE-----*
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3719 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
CE335417E6C47BEA5F638FD712963403AA915EA2B07A630EFD0ACA6C30FB92E7
Session-ID-ctx:
Master-Key:
228675E99ACA98666180FBDF8DDFB051301DE91FBFBEC7FE2F5684CF702971E55C1C66F0463D4B547788689F28278281
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 46 28 de 0a c1 94 a1 91-bb d9 ee 40 f8 7e 6e f3
F(......... at .~n.
0010 - fc 26 3e 26 bd 35 1c bd-d7 8c ee 88 9f 37 52 b8
.&>&.5.......7R.
0020 - 14 b4 ba 92 87 15 01 ed-aa bf 54 4d fb df f9 7b
..........TM...{
0030 - 5c 62 a9 a2 45 f1 09 15-83 b3 34 7e e8 87 d9 58
\b..E.....4~...X
0040 - 36 fe e8 29 4a c7 7d ec-38 d5 66 d2 c7 89 21 05
6..)J.}.8.f...!.
0050 - 7b 65 d5 e4 69 36 bb ea-9a 32 36 54 31 e5 61 f9
{e..i6...26T1.a.
0060 - 19 7c 75 8d 63 25 53 c5-cb 4b ca 24 cd 96 a8 cd
.|u.c%S..K.$....
0070 - 59 d3 63 a0 1e fa a4 32-16 ed ae aa e5 23 39 35
Y.c....2.....#95
0080 - 60 f8 c5 56 8f 09 1d 61-7c ed 30 fa b4 a9 8c 4f
`..V...a|.0....O
0090 - 40 c2 c4 8b 2a 2b 38 34-d9 df 85 72 67 42 e4 71
@...*+84...rgB.q
00a0 - 76 3b b4 1e v;..
Start Time: 1435761117
Timeout : 300 (sec)
Verify return code: 0 (ok)
Cheers,
Kayne.
On Wed, Jul 1, 2015 at 4:29 PM, Kai Lu <kayne.lu at gmail.com> wrote:
> Hi Vladimir,
>
> Thanks for your reply!
>
> What I need is .PEM format. Could you please provide an example about
> how to use OpenSSL.crypto.dump_certificate(*type*, *cert*)?
>
> Cheers,
> Kayne.
>
>
>
> On Wed, Jul 1, 2015 at 4:12 PM, Vladimir Didenko <
> vladimir.didenko at gmail.com> wrote:
>
>> 2015-07-01 17:03 GMT+03:00 Kai Lu:
>>
>>> Hi,
>>>
>>> Could anyone please tell me how to get each certificate (like "begin
>>> ... end") in the cert chain by using "peercertchain =
>>> conn.get_peer_cert_chain()"? I use PyOpenssl package. The command line
>>> like openssl s_client -showcerts -connect XXXX:443 2>/dev/null can print
>>> out what I need, but I want to use PyOpenssl package or other packages to
>>> implement it in the Python programs other than calling command line from
>>> Python code.
>>>
>>
>> I don't understand what is a problem. conn.get_peer_cert_chain returns
>> usual Python list of X509 objects. Each object is certificate. If you need
>> PEM format you can use crypto.dump_certificate function.
>>
>>
>> --
>> Regards,
>> Vladimir.
>>
>> _______________________________________________
>> Cryptography-dev mailing list
>> Cryptography-dev at python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20150701/94986e6f/attachment-0001.html>
More information about the Cryptography-dev
mailing list