Wireshark mailing list archives
Re: Extracting SSL Certficates
From: Sake Blok <sake () euronet nl>
Date: Wed, 10 Mar 2010 08:26:20 +0100
Is it possible to extract the x509 ssl certificate from a pcap file? I'm trying to compare a ssl certificate that I have with the one captured in a traffic capture. Searching the archives (and google) have only provided discussions on decrypting ssl traffic which is more than I need.
Yes, that's possible. open the tracefile 1) make sure the setting "Allow subdissector to reassemble TCP streams" is on in the TCP protocol preferences 2) Then go to the packet which contains the SSL handshake message "Certificate" 3) In the packet detail pane, expand the SSL protocol 4) Expand the "Certificate" TLS record 5) Expand the "certificate" handshake protocol 6) Expand the list of certificates. There is now a list of certificate length and certificates (the list could be only 1 certificate). The first certificate is the server certificate, the second it's signing CA, the third the CA that signed the CA, etc. 7) Now rightclick on the certificate that you want to export 8) Choose "Export selected packet bytes..." 9) Choose a filename and click on save You now have a file containing the certificate in DER format. You can use openssl to process the certificate as needed. Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Extracting SSL Certficates P E (Mar 09)
- Re: Extracting SSL Certficates Sake Blok (Mar 09)