Certificate Ripper 🔐

A CLI tool to extract server certificates

Demo

Advantages

It is fast
Easy to use
No openssl required
Runs on any Operating System
Can be used with or without Java, native executables are present in the releases
Extracts all the sub-fields of the certificate
Certificates can be formatted to PEM format
Bulk extraction of multiple different urls with a single command is possible
Extracted certificates can be stored automatically into a p12 truststore
Works also behind a proxy

Installing & Usage

Mac OS X - Homebrew 🍺

brew tap hakky54/crip
brew install crip
crip print --url=https://stackoverflow.com/

Windows

Download the latest binary here: Releases
Extract the compressed file
Start cmd and cd to the extracted file
Run start /b "" "crip.exe" print --url=https://stackoverflow.com/

Linux

From Source

Download the latest binary here: Releases
Extract the compressed file
Add the reference to your environment variables: export CRIP_HOME=/path/to/crip/binary
Run crip print --url=https://stackoverflow.com/

Contributed/Unofficial Installation Methods

Arch-Linux (AUR)

Install the certificate-ripper-bin AUR package
Run crip print --url=https://stackoverflow.com/

NixOS (nixpkgs)

Run nix-shell -p certificate-ripper or add pkgs.certificate-ripper to your configuration.nix file
Run crip print --url=https://stackoverflow.com/

Using Executable JAR

Minimum requirements:

Java 8
A terminal

Setup

Download the latest JAR here: Releases
Run it with java -jar crip.jar print --url=https://youtube.com/

CLI Options

Usage: crip [COMMAND]
Commands:
  print             Prints the extracted certificates to the console
  export p12        Export the extracted certificate to a PKCS12/p12 type truststore
  export jks        Export the extracted certificate to a JKS (Java KeyStore) type truststore
  export der        Export the extracted certificate to a binary form also known as DER
  export pem        Export the extracted certificate to a base64 encoded string also known as PEM
  
Usage: crip print
Prints the extracted certificates to the console
  -f, --format              To be printed certificate format. This option is not required. Default is human-readable.
  -u, --url                 Url of the target server to extract the certificates. Can be provided multiple times.
  -t, --timeout             Amount of milliseconds till the ripping should timeout
      --resolve-ca          Indicator to automatically resolve the root ca

Usage: crip export pkcs12
Export the extracted certificate to a PKCS12/p12 type truststore
  -p, --password            TrustStore password. This option is not required. Default is changeit.
  -u, --url                 Url of the target server to extract the certificates. Can be provided multiple times.
  -d, --destination         Destination of the to be stored file. Default is current directory if none is provided.
  -t, --timeout             Amount of milliseconds till the ripping should timeout
      --resolve-ca          Indicator to automatically resolve the root ca
      
Usage: crip export der
Export the extracted certificate to a binary form also known as DER
  -u, --url                 Url of the target server to extract the certificates. Can be provided multiple times.
  -c, --combined            Indicator to either combine all of the certificate into one file for a given url or export into individual files.
  -d, --destination         Destination of the to be stored file. Default is current directory if none is provided.
  -t, --timeout             Amount of milliseconds till the ripping should timeout
      --resolve-ca          Indicator to automatically resolve the root ca

Usage: crip export pem
Export the extracted certificate to a base64 encoded string also known as PEM
  -u, --url                 Url of the target server to extract the certificates. Can be provided multiple times.
  -c, --combined            Indicator to either combine all of the certificate into one file for a given url or export into individual files.
  -d, --destination         Destination of the to be stored file. Default is current directory if none is provided.
      --include-header      Indicator to either omit or include additional information above the BEGIN statement.
  -t, --timeout             Amount of milliseconds till the ripping should timeout
      --resolve-ca          Indicator to automatically resolve the root ca
      
Proxy options applicable for all commands
      --proxy-host          Proxy host
      --proxy-port          Proxy port
      --proxy-password      Password for authenticating the user for the given proxy
      --proxy-user          User for authenticating the user for the given proxy

Example usages

Single export

crip export pkcs12 -u=https://github.com

Bulk export

crip export pkcs12 \
-u=https://youtube.com \
-u=https://github.com \
-u=https://stackoverflow.com \
-u=https://facebook.com

Specify custom truststore destination path

crip export pkcs12 -u=https://github.com -d=/path/to/directory

Print in human-readable format

crip print -u=https://github.com

Print in PEM format

crip print -u=https://github.com -f=pem

Batch print in PEM format

crip print -f=pem \
-u=https://youtube.com \
-u=https://github.com \
-u=https://stackoverflow.com \
-u=https://facebook.com

Extracting behind a proxy

crip print -u=https://stackoverflow.com --proxy-host=my-host.com --proxy-port=1234 --proxy-user=foo --proxy-password

Combining certificates

crip export pem -u=https://github.com --combined=true

Defining custom file name

Works only with the combined option while only specifying a single url.

crip export pem -u=https://github.com --combined=true --destination=/path/to/export/github-chain.crt

Contributing

There are plenty of ways to contribute to this project:

Give it a star
Share it with a
Submit a PR

Hakky54 / certificate-ripper