SSL Certificate Extractor

SSL/TLS Full Chain PEM Format
Anish Nath
Extract Certificate
Server Details
https://
What You'll Get
  • Server/Leaf certificate
  • Intermediate certificates
  • Root CA certificate (if sent)
  • All in PEM format
  • Ready for analysis or import
Certificate Chain

Certificates will appear here

Enter a URL and click Extract Certificates
OpenSSL Commands
Extract Certificate (Basic)
# Get server certificate only
$ openssl s_client -connect example.com:443 </dev/null 2>/dev/null | \
openssl x509 -outform PEM
Extract Full Chain
# Get entire certificate chain
$ openssl s_client -showcerts -connect example.com:443 </dev/null | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
With SNI (Server Name Indication)
# Required for servers hosting multiple domains
$ openssl s_client -servername example.com \
-connect example.com:443 -showcerts </dev/null
Save to File
# Extract and save certificate to file
$ echo | openssl s_client -servername example.com \
-connect example.com:443 2>/dev/null | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.pem
Related SSL/TLS Tools
PEM Parser

Parse and decode PEM certificates
Certificate Matcher

Verify certificate and key pairs
OCSP Checker

Check certificate revocation status
SSL Scanner

Scan SSL/TLS configuration

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users
200+ tools
100% private
One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 Stay updated Follow @anish2good
Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.
Understanding SSL Certificates
What is a Certificate Chain?

A certificate chain (or chain of trust) is a sequence of certificates that link your server certificate to a trusted root Certificate Authority (CA). The chain typically includes:

Server Certificate
Your domain's certificate (leaf)
Intermediate CA
Bridge between server and root
Root CA
Trusted by browsers/OS
X.509 Certificate Structure

An X.509 certificate contains the following key fields:

Field Description
Version X.509 version (v1, v2, or v3). Most modern certificates use v3.
Serial Number Unique identifier assigned by the CA. Used for revocation tracking.
Signature Algorithm Algorithm used to sign (e.g., SHA256withRSA, SHA384withECDSA).
Issuer Distinguished Name (DN) of the CA that issued the certificate.
Validity Period Not Before and Not After dates defining certificate lifetime.
Subject DN of the entity (domain/organization) the certificate is issued to.
Public Key The subject's public key and algorithm (RSA, ECDSA, Ed25519).
Extensions (v3) Additional attributes like SAN, Key Usage, Basic Constraints, etc.
Certificate Validation Levels
DV Domain Validated
Basic validation - CA only verifies domain ownership via email, DNS, or HTTP challenge. Fastest to obtain (minutes). Shows padlock only.
OV Organization Validated
CA verifies organization identity through business records. Takes 1-3 days. Organization name visible in certificate details.
EV Extended Validation
Strictest validation - legal, operational, and physical verification. Takes 1-2 weeks. Previously showed green bar in browsers.
Important X.509 Extensions
Extension Purpose
Subject Alternative Name (SAN) Additional domains/IPs the certificate covers. Essential for multi-domain certs.
Key Usage Permitted uses: Digital Signature, Key Encipherment, Certificate Signing, etc.
Extended Key Usage (EKU) Specific purposes: Server Auth (TLS), Client Auth, Code Signing, Email Protection.
Basic Constraints Indicates if certificate is a CA (can sign other certs) and path length limit.
Authority Info Access (AIA) URLs for OCSP responder and CA certificate (issuer) download.
CRL Distribution Points URLs where Certificate Revocation Lists can be downloaded.
Certificate Policies OIDs indicating validation level (DV/OV/EV) and CA practices.
TLS Handshake Overview

When you connect to an HTTPS website, the following happens:

1. Client Hello
Supported ciphers, TLS version
2. Server Hello
Selected cipher, certificate
3. Verify Cert
Chain validation, revocation
4. Key Exchange
Generate session keys
5. Encrypted
Secure communication
Certificate Formats
Format Extension Encoding Description
PEM .pem, .crt, .cer, .key Base64 (ASCII) Most common format. Human-readable with BEGIN/END headers. Can contain multiple certs.
DER .der, .cer Binary Raw binary ASN.1 encoding. Common in Java and Windows. Single certificate only.
PKCS#7 / P7B .p7b, .p7c Base64 or Binary Contains certificate chain only (no private key). Used by Windows and Java Tomcat.
PKCS#12 / PFX .pfx, .p12 Binary Password-protected archive with certificate + private key + chain. Used for export/import.
JKS .jks, .keystore Binary Java KeyStore format. Being replaced by PKCS#12 in modern Java versions.
Common Issues & Solutions

Symptom: Works in browsers but fails in curl, mobile apps, or API clients with "unable to verify" errors.

Cause: Server not sending intermediate certificates. Browsers cache intermediates, other clients don't.

Fix: Configure your server to send the full chain. Concatenate server cert + intermediates in your cert file:

cat server.crt intermediate.crt > fullchain.crt

Symptom: Browser shows "Your connection is not private" or hostname verification fails.

Cause: Certificate CN/SAN doesn't match the domain you're accessing.

Fix: Ensure your certificate includes all domains in Subject Alternative Name (SAN). Wildcard certs (*.example.com) don't cover the apex domain (example.com).

Symptom: NET::ERR_CERT_DATE_INVALID or "Certificate has expired" errors.

Cause: Certificate's "Not After" date has passed, or server clock is wrong.

Fix: Renew the certificate. Use auto-renewal tools like certbot. Also check server's system time with date command.

Symptom: ERR_CERT_AUTHORITY_INVALID or "Certificate is not trusted".

Cause: Certificate was not signed by a trusted CA. The issuer is the same as the subject.

Fix: For production, get a certificate from a trusted CA (Let's Encrypt is free). For development, add the self-signed cert to your trust store.

Symptom: Server returns certificate for wrong domain, or default/fallback certificate.

Cause: Server Name Indication (SNI) not configured correctly. Multiple sites sharing one IP need SNI.

Fix: Ensure your client sends SNI (use -servername with openssl). Check server's virtual host configuration.

Major Certificate Authorities
  • Let's Encrypt - Free, automated DV certificates (90-day validity)
  • DigiCert - Enterprise, high-assurance certificates
  • Sectigo (Comodo) - Wide range of certificate products
  • GlobalSign - Enterprise and IoT certificates
  • GoDaddy - Domain registrar with SSL services
  • Entrust - Government and enterprise focused
  • Amazon (ACM) - Free certs for AWS services
  • Cloudflare - Free certs for proxied domains
Quick Access