OpenSSL
Connect to TLS service
openssl s_client -brief -connect <host>:<port>
Tip
RTFM for additional options: openssl help s_client
Reference: poftut.com/use-openssl-s_client-check-verify-ssltls-https-webserver/
Create Self-Signed CA
openssl req -x509 -nodes -newkey rsa:4096 -keyout [out.key] -out [out.pem] -days 365 -subj '/CN=[COMMON NAME]'
Extract certificates from service
openssl s_client -showcerts -connect <host>:<port> < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' && for cert in *.crt; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; done