Openssl: Extract root certificate from certificate chain?

ssl ssl-certificate openssl certificate-authority

I am fetching a certificate chain with openssl s_client -showcerts -connect host.whatever:443 </dev/null.

In addition to that I would like to extract the root certificate form the chain programmatically in the format -----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----

Does anybody know of a functionality that is capable of that and already ships with OpenSSL?


openssl s_client shows you only the certificate chain send by the client. This chain usually does not include the root certificate itself. Instead the root certificate is only contained in the local trust store and is not send by the server. As far as I know there is no builtin way to get the root certificate for a connection using the openssl command line.


It wouldn't make sense for the web server to send the root certificate and the browser should ignore it if it is sent (it MUST be in the local store). If it's an intermediate CA certificate then you'd retrieve it the way you're already using.

Related

Determine version of AWS tools using only powershell
Hyper-V: Not able to ping my local VM from Host
Schedule a disk snapshot on GKE
Where can I find End of Life Support Dates for Microsoft Products? [closed]
How to determine if remote wipe succeeded?
How to Make a /22 Reverse Zone in Bind? (255.255.252.0))
405 (Not Allowed) on POST request
Nginx request port
Is it possible to take a snapshot of a database in Azure?
puppet adding timestamp in file content
Postfix protocol error attempting email address validation with SMTP
How do I install Internet Explorer on Windows Server 1803 (semi annual release)?