Wireshark – export cert

Recently I’ve been working a lot with Wireshark, and in one scenario I had to verify what certificate was used. Exporting the public certificate from a Wireshark it’s pretty easy if you know what to do.

First you need to capture the handshake. If you do see the Client/Server Hello messages but no Certification, you are probably seeing a resumed SSL session. You need to get the initial handshake.

If you do get the Certificate message, you can expand the Secure Sockets Layer to reach the cert.

The full certification chain will be display, but you are probably interested in the first. Right click on the line and choose “Export Packet Bytes..”

Save the file as a “cert.der” The data will be save in binary format.

By using the openssl suit you can now convert in to a bit more human readable format.

openssl x509 -inform der -in cert.der -out cert.pem
openssl x509 -in cert.pem -text -noout

Or the last to show a print out of the certificate.

Source Capture Cert: https://www.wireshark.org/lists/wireshark-users/201003/msg00080.html
Source Convert Cert: https://www.sslshopper.com/article-most-common-openssl-commands.html

 

Leave a Comments