Home > SSL/TLS > How to export the SSL certificate from a Wireshark packet capture

How to export the SSL certificate from a Wireshark packet capture

April 10th, 2014

How to obtain the SSL certificate from a Wireshark packet capture:

  1. From the Wireshark menu choose Edit > Preferences and ensure that “Allow subdissector to reassemble TCP streams” is ticked in the TCP protocol preferences
  2. Find “Certificate, Server Hello” (or Client Hello if it is a client-side certificate that you are interested in obtaining.
  3. In the packet detail pane, expand the Secure Sockets Layer protocol
  4. Expand the “TLSv1 Record Layer: Handshake Protocol: Certificate” field
  5. Expand the “Handshake Protocol: Certificate” field
  6. Expand the list of certificates. There may be one or more certificates depending upon whether a chain of trust is present. The first certificate is the server certificate, the second is the signing Certificate Authority, the third the CA that trusted/signed that Certificate Authority and so on.
  7. Right-click on the on the certificate that you wish to obtain then choose “Export selected packet bytes…” and name the file with a .der extension.

The file contains the certificate in DER format. Openssl can be used to view the certificate:

C:\openssl\bin>openssl x509 -in certs\www.servername.com.der -inform der -text -noout

See This Post for more examples of OpenSSL and certificate encoding types. http://darenmatthews.com/blog/?p=1299

Categories: SSL/TLS Tags:
Comments are closed.