Download certificate chain without OpenSSL
Daniel Nashed – 11 September 2022 08:17:08
Usually OpenSSL is the tool of choice for all type of certificate operations.
But what if no OpenSSL command line is available? Like in a Domino container where you can't install software?
After some research, I came up with the keytool, which is part of the JVM Domino ships.
It turned even out to be an easier way to download the certificate chain with this command line:
/opt/hcl/domino/notes/latest/linux/jvm/bin/keytool -printcert -rfc -sslserver 127.0.0.1 > certs.pem
This example connects to the local server over port 443 (default) and loads the complete certificate chain.
The option -rfc is important to write the certificate in PEM format.
Without the -rfc option, you get all the details about the certificates in the chain instead:
/opt/hcl/domino/notes/latest/linux/jvm/bin/keytool -printcert -sslserver 127.0.0.1
Certificate #0
====================================
Owner: O=Automation MicroCA Certificate
Issuer: CN=DominoMicroCA, O=AutoTestLab
Serial number: 69e50f549cb8e0d294ad2c6a884778c0
Valid from: Sat Sep 10 10:03:17 CEST 2022 until: Tue Sep 12 10:03:17 CEST 2023
Certificate fingerprints:
SHA1: 4B:77:49:FB:95:3E:02:F5:8C:F7:C7:76:C1:F5:7F:EA:7B:60:CD:9C
SHA256: 9E:E7:61:FA:D1:DA:57:AA:89:3F:A8:F8:F8:CB:69:D6:7F:DB:8A:18:C4:BB:01:2F:85:FD:1F:39:9B:69:8D:42
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
#2: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: automation.notes.lab
]
Certificate #1
====================================
Owner: CN=DominoMicroCA, O=AutoTestLab
Issuer: CN=DominoMicroCA, O=AutoTestLab
Serial number: 4afa2efe1b11b03f88fc34d76b3574a2
Valid from: Sat Sep 10 10:03:17 CEST 2022 until: Mon May 26 10:03:17 CEST 2025
Certificate fingerprints:
SHA1: 9C:B0:FD:60:25:B9:6D:8D:2C:F5:F3:CB:CF:F6:B8:73:EB:E9:22:EC
SHA256: 7C:DA:2D:31:7A:7A:C9:B4:7B:24:36:0E:4F:A5:A6:81:D5:27:DB:45:57:03:59:61:2F:20:01:C0:BA:52:71:1B
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: automation.notes.lab
]
- Comments [3]