Openssl: Extract root certificate from certificate chain?
I am fetching a certificate chain with openssl s_client -showcerts -connect host.whatever:443 </dev/null
.
In addition to that I would like to extract the root certificate form the chain programmatically in the format -----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----
Does anybody know of a functionality that is capable of that and already ships with OpenSSL?
openssl s_client
shows you only the certificate chain send by the client. This chain usually does not include the root certificate itself. Instead the root certificate is only contained in the local trust store and is not send by the server. As far as I know there is no builtin way to get the root certificate for a connection using the openssl command line.
It wouldn't make sense for the web server to send the root certificate and the browser should ignore it if it is sent (it MUST be in the local store). If it's an intermediate CA certificate then you'd retrieve it the way you're already using.