Certificate

Extract certificate from a domain

Published on July 6, 2025

To extract the certificate use:

openssl s_client -showcerts -servername humberto.io -connect humberto.io:443 </dev/null 2>/dev/null

If your target is not using SNI you don’t need to use the -servername <fqdn> option.

Then you can pipe it with other OpenSSL commands to extract information in the format that you need.

To extract PEM formatted cert:

| openssl x509 -outform PEM

To extract the public key:

| openssl x509 -pubkey -noout

To extract the Fingerprint:

Extract certificate and key from .pfx file

Published on July 10, 2023

Extract the certificate from the .pfx file:

openssl pkcs12 -in <DOT_PFX_FILE> -clcerts -nokeys -chain -out certificate.crt

Extract the private key in .pem format without encryption from the .pfx file:

openssl pkcs12 -in <DOT_PFX_FILE> -nocerts -nodes -out private_key.pem

Convert the .pem into RSA key format:

openssl rsa -in private_key.pem -out id_rsa

If you are using OpenSSL 3 it will default it’s output to be in PKCS8 format, that contains encapsulation boundaries like this: