Wireshark-users: Re: [Wireshark-users] Extracting SSL Certficates

From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 10 Mar 2010 08:26:20 +0100
> Is it possible to extract the x509 ssl certificate from a pcap file? I'm trying to compare a ssl certificate that I have with the one captured in a traffic capture. Searching the archives (and google) have only provided discussions on decrypting ssl traffic which is more than I need.

Yes, that's possible. open the tracefile

1) make sure the setting "Allow subdissector to reassemble TCP streams" is on in the TCP protocol preferences
2) Then go to the packet which contains the SSL handshake message "Certificate"
3) In the packet detail pane, expand the SSL protocol
4) Expand the "Certificate" TLS record
5) Expand the "certificate" handshake protocol
6) Expand the list of certificates. There is now a list of certificate length and certificates (the list could be only 1 certificate). The first certificate is the server certificate, the second it's signing CA, the third the CA that signed the CA, etc.
7) Now rightclick on the certificate that you want to export
8) Choose "Export selected packet bytes..."
9) Choose a filename and click on save

You now have a file containing the certificate in DER format. You can use openssl to process the certificate as needed.