Retrieving Certificate Authorities using OpenSSL

There are times when retrieving a CA you aren't able to do so using a web site. For example, when you need to retrieve the CA used by your mail server.

First you will need to download and install OpenSSL.

Once installed open a DOS prompt and change your location to the directory that you installed OpenSSL. Then change the location to the ../bin directory in the same path and issue the command openssl. This should give you an OpenSSL prompt.

Now you should issue the s_client command specifying the server and port you are connecting to. (Note, if the server you are connecting to requires TLS then see the second example below for instructions on retrieving the certificate).

s_client -connect smtp.gmail.com:465

When this command executes correctly you should get a bunch of information on the DOS screen as well as a certificate. If you examine the information you should see tags that say BEGIN CERTIFICATE and END CERTIFICATE.

Copy and paste this information, including those tags, to a text file on your PC. The save the file as something meaningful and with the extension of .cer.

Now, if you double click on the file, you should see the certificate and it's path and you can then follow the instructions to export each individual CA for importing into your system using DCM.

Retrieving Certificate Autorities (CAs) from Servers that Require TLS

Some servers require TLS instead of straight SSL. There isn't much difference except for the method used with OpenSSL to retrieve the server's certificate. As an example, GMail allows TLS connections over port 587. The OpenSSL command would be the following:

s_client -connect smtp.gmail.com:587 -starttls smtp

Again, we then will find the BEGIN CERTIFICATE and END CERTIFICATE tags and copy all the text including the tags to a text file. Then we will rename the file to a .cer file and be ready to export each of the separate CAs needed.