export SSL certficate and intermediates to file from given https URL

Question

How can I grab the root SSL certficate, together with any intermediates, to a file from a given url? Ideally through some linux shell compatible commandline, but manually will do if I have to. Update: Interactively, using Chrome, if I examine a certificate I can optionally export it. And there's a way to grab the entire chain, if applicable. So now I'm only looking for a scriptable method.

Background:

mono nuget.exe install ./packages.config -o ./packages

will install project packages on ubuntu, as long as the required certificates are installined in the machine's Trust store. In part, it's done like this:

$ certmgr -ssl https://nugetgallery.blob.core.windows.net

This command, with the -ssl option, grabs the certificate and any intermediates from the specified url, and requires user confirmation. I'm trying to automate server builds, so I'd like to get the certificates added without requiring user confirmation.

I've tried piping the response into the command - i.e.:

$ echo "Yes" | certmgr -ssl https://nugetgallery.blob.core.windows.net

That doesn't work. I've tried to export the certficates to a file, so I can add them to my build project, but mono certmgr hasn't implemented 'put' yet.

Answer 1

Assuming openssl is installed, this commandline:

echo | openssl s_client \
    -showcerts \
    -connect nugetgallery.blob.core.windows.net:443 2>&1 |
        sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

produces a file that contains all three certificates involved in this chain.

Thanks to this answer to this question: Using openssl to get the certificate from a server for the solution to get the chain. The following commands will get the saved certificates loaded into the Trust store.

openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b
certmgr -add -c -m Trust ./cert.p7b