'How can retrieve chain of certificates via openssl

I have to retrieve and download on my local environment certificate chain from remore server. I can do it using browser embedded services, but as far as I know this approach does not work for chain of certificates (or have some bottlenecks). That's why I am trying to use openssl following command:

openssl s_client -showcerts -connect host.host:9999

which will print out appropriate cert info like: 

CONNECTED(0000015C)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIcFzCCG4CgAwIBAgIGR09PUAFxMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNVBAYT
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDC2dxMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 8040 bytes and written 310 bytes

How can I get this in .crt or .cer format? Can I just copy/paste this in text file with appropriate extension? If yes, where is the start and end of chain?

openssl


Solution 1:[1]

I have no idea what exactly you mean by '.crt' or '.cer' format. If you copy those pieces of output between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and save them to a text file you will get a certificate chain file in PEM format (default for openssl). Your file should look something like this (2 certificates in the chain):

-----BEGIN CERTIFICATE-----
MIIF/DCCBWWgAwIBAgIKUCYyawAAAAB1rzANBgkqhkiG9w0BAQUFADBGMQswCQYD
<the rest of the certificate 1>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDC2dxMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
<the rest of the certificate 2>
-----END CERTIFICATE-----

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Solving sslv3 alert handshake failure when trying to use a client certificate

make fails to build squid with openssl (deprecated functions used)

Create PKCS#1 formatted RSA key using OpenSSL v3.0.0

Mongodb SSL - unable to get issuer certificate

Convert p12 APNS certificate to base64 string

SSL Error Certificate subject name does not match target host for github.com

How to get configuration.h from configuration.h.in in OpenSSL?

Error opening CA private key when Create the intermediate pair

Create compatible Java "RSA" signature using a PKCS#8 encoded private key

How do I use a X509 certificate with PyCrypto?

gem eventmachine fatal error: 'openssl/ssl.h' file not found

SSL error unsafe legacy renegotiation disabled

PHP Startup: Unable to load dynamic library 'openssl' in Ubuntu

builder error: 'openssl/rand.h' not found [Windows 10]

Building Python 3.7.1 - SSL module failed