How to get the CA PEM for a Server¶
Download from CA¶
If you know the CA, check their download section.
Using a Browser¶
This only works for https servers:
- Open the website you want to access
- Open the encryption info (e.g. Chrome: lock icon at URL → show certificate)
- Display the certificate chain (e.g. Chrome: tab “Details”, first element)
- Select the last entry before the actual server certificate
- Export the certificate in PEM format (usually the default)
- Install the file contents as shown above
Using OpenSSL or GNU TLS CLI¶
This works for all servers and ports:
openssl s_client -connect HOSTNAME:PORT -servername HOSTNAME -showcerts </dev/null \ | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
gnutls-cli --print-cert --port PORT HOSTNAME </dev/null \ | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
Substitute HOSTNAME and PORT accordingly, e.g. https = port 443. The
sed just strips
the other info from the output and can be omitted to check for errors or details.
There should be two certificates in the output, look for BEGIN and END markers. The first one is the server certificate, the second one the CA certificate. Copy that second certificate into the editor, take care to include the BEGIN and END lines.