第一步,命令行获取证书
openssl s_client -connect -showcerts
第二步,找到证书内容
通过命令输出命令行的内容中,-----BEGIN CERTIFICATE-----和-----END CERTIFICATE-----之间(包括header和footer)就是证书.
该网站有两个证书组成的证书链
➜ ~ openssl s_client -connect -showcerts
CONNECTED(00000003)
depth=1 /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=WeBank Co.,
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIQPb8rHDEATeLIAOH7hJYGmTANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE1MDEwNjAwMDAwMFoX
DTE4MDEwNTIzNTk1OVoweTELMAkGA1UEBhMCQ04xEjAQBgNVBAgTCUd1YW5nZG9u
ZzERMA8GA1UEBxQIU2hlbnpoZW4xGTAXBgNVBAoUEFdlQmFuayBDby4sIEx0ZC4x
ETAPBgNVBAsUCElULURlcHQuMRUwEwYDVQQDFAwqLndlYmFuay5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxd8uotxhi1D30hzdFAzDEvU0eM25n
Kpi/mPAGRfXNz7zl28ib7X+37tSZ/uRtjDQflG9e+rVKBtPMAoclOd/o4L41f6U5
v8KEqF7sCDURhcZxft8jiEgbdlveH2G0ngLe3I+dbPBRjdzH9TUuMasDZWWJE1Y5
IR07Mx0Km2QR0eSDq5lTUo4UaCxDBt+D6lW4p/fuOvhOvTv27jiKaIikLNZHFH/0
z6xTmgWj61cRlnwPPXYKg/MPps+E8LFivTSjWc5xnhJGIKQNO9NgKn/GHEyP79hV
JHB8+tlZBrl4zBwka1yQSS2E7sHRfaX0h1/kQvcToIBRgW2jcXu2vdrpAgMBAAGj
ggFlMIIBYTAXBgNVHREEEDAOggwqLndlYmFuay5jb20wCQYDVR0TBAIwADAOBgNV
HQ8BAf8EBAMCBaAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NzLnN5bWNiLmNv
bS9zcy5jcmwwZQYDVR0gBF4wXDBaBgpghkgBhvhFAQc2MEwwIwYIKwYBBQUHAgEW
F2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0dHBzOi8v
ZC5zeW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAf
BgNVHSMEGDAWgBRfYM9hkFXfhEMUimAqsvV69EMY7zBXBggrBgEFBQcBAQRLMEkw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zcy5zeW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0
dHA6Ly9zcy5zeW1jYi5jb20vc3MuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQB8qoIH
bnzFt5MrV+DxL3Hs/j1ny+ZrZJlzFN2a3KnsjYWm/ufcNdnro+zN55qylkAPTq49
WSW9SUtgCiJKfzAXoURNMR34RLuYDr42sHjMYpaw12OGwMNST0dxyi0Q8GyclbFJ
xvrfvoDVHlItVJb8OzE7SH4uxXFg1URdtE1h6F9HSwdZHMgd0wQ477WNq8v1YjBo
C/umc6H1CBKznzw7w0fnqLWMaYstSftYpClKIT/k5PPryhfeGEhiNUIjtjj5vN1x
RK/SBca/+LbqgLTqMvFdVs1y0BSm04puR0aOEj8aliBIBgpd3miCiGj3GZ+ua+hc
iMHCXRGkvCmDTz9/
-----END CERTIFICATE-----
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/ST=Guangdong/L=Shenzhen/O=WeBank Co.,
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 3526 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES128-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 2D6BBAC386706E321D566C50321DE9907B2F532C080CE81F9D8D7C086DF88A5FEA9CF4DCDC87D939152166031B5371B1
Key-Arg : None
Start Time: 1477988161
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
第三步,创建证书文件
然后复制从begin 到end之间的内容,创建一个文件certificate.pem粘贴进去,粘贴以后的内容如下,这个就是base64编码的PEM格式的证书.
X.509格式的证书的编码格式有两种:
- base64编码的PEM格式证书(Java常用)
- 二进制的DER格式的证书(iOS仅支持)
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIQPb8rHDEATeLIAOH7hJYGmTANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE1MDEwNjAwMDAwMFoX
DTE4MDEwNTIzNTk1OVoweTELMAkGA1UEBhMCQ04xEjAQBgNVBAgTCUd1YW5nZG9u
ZzERMA8GA1UEBxQIU2hlbnpoZW4xGTAXBgNVBAoUEFdlQmFuayBDby4sIEx0ZC4x
ETAPBgNVBAsUCElULURlcHQuMRUwEwYDVQQDFAwqLndlYmFuay5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxd8uotxhi1D30hzdFAzDEvU0eM25n
Kpi/mPAGRfXNz7zl28ib7X+37tSZ/uRtjDQflG9e+rVKBtPMAoclOd/o4L41f6U5
v8KEqF7sCDURhcZxft8jiEgbdlveH2G0ngLe3I+dbPBRjdzH9TUuMasDZWWJE1Y5
IR07Mx0Km2QR0eSDq5lTUo4UaCxDBt+D6lW4p/fuOvhOvTv27jiKaIikLNZHFH/0
z6xTmgWj61cRlnwPPXYKg/MPps+E8LFivTSjWc5xnhJGIKQNO9NgKn/GHEyP79hV
JHB8+tlZBrl4zBwka1yQSS2E7sHRfaX0h1/kQvcToIBRgW2jcXu2vdrpAgMBAAGj
ggFlMIIBYTAXBgNVHREEEDAOggwqLndlYmFuay5jb20wCQYDVR0TBAIwADAOBgNV
HQ8BAf8EBAMCBaAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NzLnN5bWNiLmNv
bS9zcy5jcmwwZQYDVR0gBF4wXDBaBgpghkgBhvhFAQc2MEwwIwYIKwYBBQUHAgEW
F2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0dHBzOi8v
ZC5zeW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAf
BgNVHSMEGDAWgBRfYM9hkFXfhEMUimAqsvV69EMY7zBXBggrBgEFBQcBAQRLMEkw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zcy5zeW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0
dHA6Ly9zcy5zeW1jYi5jb20vc3MuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQB8qoIH
bnzFt5MrV+DxL3Hs/j1ny+ZrZJlzFN2a3KnsjYWm/ufcNdnro+zN55qylkAPTq49
WSW9SUtgCiJKfzAXoURNMR34RLuYDr42sHjMYpaw12OGwMNST0dxyi0Q8GyclbFJ
xvrfvoDVHlItVJb8OzE7SH4uxXFg1URdtE1h6F9HSwdZHMgd0wQ477WNq8v1YjBo
C/umc6H1CBKznzw7w0fnqLWMaYstSftYpClKIT/k5PPryhfeGEhiNUIjtjj5vN1x
RK/SBca/+LbqgLTqMvFdVs1y0BSm04puR0aOEj8aliBIBgpd3miCiGj3GZ+ua+hc
iMHCXRGkvCmDTz9/
-----END CERTIFICATE-----
第四步,转码
iOS开发中,iOS只支持DER编码格式的证书,需要将上面得到的PEM格式的证书转化成二进制编码的DER格式证书.
openssl x509 -outform der -in certificate.pem -out certificate.der
完整的输出证书链子节点的证书命令
openssl s_client -connect </dev/null 2>/dev/null | openssl x509 -outform DER > https.cer
关于证书的后缀:
常见的有cer, pem, der, p12等等,可以参考iOS 安全相关的另外一篇文章.