I will appreciate if someone can point me to a tool or approach to extract SSL/TLS certificates from live HTTPS connections (directly from the network) or from a network trace file (pcap file). I tried using ssldump but I was not able to extract the certificates. I can also use Wireshark for this (manually), but I want to do this in an automated way. I am using a Linux platform for this. Thanks
Edit: I want to extract the SSL certificate than a server sends to the client (browser) during an SSL handshake. I want to use a network sniffer (tcpdump) to capture the SSL connections in a network and then extract the certificates from the resulting pcap file (or doing it live).
Best Answer
Do you need the certificates in a particular format (PEM/DER/...)?
ssldump can show parsed ASN.1 certificates with the -N option and read a pcap file as input with -r. The following command could show you the certificates in a human-readable form.
The awk script isn't the cleanest but does the job (improvements more than welcome).
The -x option of ssldump would show you the actual packet payload (packet_data). That will include the record layer and handshake protocol fields (i.e. not the certificate only). A more intelligent script/code might be able to extract it from there and convert it to a more common format.