OpenSSL

Connect to TLS service

openssl s_client -brief -connect <host>:<port>

Tip

RTFM for additional options: openssl help s_client

Reference: poftut.com/use-openssl-s_client-check-verify-ssltls-https-webserver/

Create Self-Signed CA

openssl req -x509 -nodes -newkey rsa:4096 -keyout [out.key] -out [out.pem] -days 365 -subj '/CN=[COMMON NAME]'

Extract certificates from service

openssl s_client -showcerts -connect <host>:<port> < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' && for cert in *.crt; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; done

OpenSSL Cheatsheet