extract the CA cert for a particular server

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了extract the CA cert for a particular server相关的知识,希望对你有一定的参考价值。

Ignore Peer SSL certificate verification 

libcurl performs peer SSL certificate verification by default. This is done by using a CA certificate store that the SSL library can use to make sure the peer‘s server certificate is valid.

If you communicate with HTTPS, FTPS or other TLS-using servers using certificates that are signed by CAs present in the store, you can be sure that the remote server really is the one it claims to be.

If the remote server uses a self-signed certificate, if you don‘t install a CA cert store, if the server uses a certificate signed by a CA that isn‘t included in the store you use or if the remote host is an impostor impersonating your favorite site, and you want to transfer files from this server, do one of the following:

  1. Tell libcurl to not verify the peer. With libcurl you disable this with curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);

    With the curl command line tool, you disable this with -k/--insecure.

  2. Get a CA certificate that can verify the remote server and use the proper option to point out this CA cert for verification when connecting. For libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath);

    With the curl command line tool: --cacert [file]

 

Get cert:

openssl s_client -connect xxxxx.com:443 |tee logfile

type "QUIT", followed by the "ENTER" key

The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.

  • -----BEGIN CERTIFICATE-----

    fiQffffpAsiHZ0qZm+ixhTxgkasCKeff5CavSWAvqD7SnpHQ==f

    -----END CERTIFICATE-----

If you want to see the data in the certificate, you can do: "openssl x509 -inform PEM -in certfile -text -out certdata" where certfile is the cert you extracted from logfile. Look in certdata.

If you want to trust the certificate, you can add it to your CA certificate store or use it stand-alone as described. Just remember that the security is no better than the way you obtained the certificate.

以上是关于extract the CA cert for a particular server的主要内容,如果未能解决你的问题,请参考以下文章

git Problem with the SSL CA cert (path? access rights?)

k8s-cert

Tutorials on training the Skip-thoughts vectors for features extraction of sentence.

The Eighth week (Lucklyzpp)

mitmproxy-ca-cert.pem手机证书文件安装(一直安装不上,折磨我了两天!)

SSL:无法加载 CA 证书文件 /etc/pki/tls/certs/ca-bundle.crt