Skip to content

Hakky54/certificate-ripper

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Actions Status Security Rating Coverage Apache2 license GitHub stars chart

SonarCloud

Certificate Ripper πŸ”

A CLI tool to extract server certificates

Demo

alt text

Advantages

  • It is fast
  • Easy to use
  • No openssl required
  • Runs on any Operating System
  • Can be used with or without Java, native executables are present in the releases
  • Extracts all the sub-fields of the certificate
  • Certificates can be formatted to PEM format
  • Bulk extraction of multiple different urls with a single command is possible
  • Extracted certificates can be stored automatically into a p12 truststore
  • Works also behind a proxy

Installing

  • Mac OS X - Homebrew 🍺
    • Run brew tap hakky54/crip && brew install crip
  • Linux & Windows
    • Download the latest binary here: Releases

Contributed/Unofficial Installation Methods

  • Arch-Linux (AUR)
  • NixOS (nixpkgs)
    • Run nix-shell -p certificate-ripper or add pkgs.certificate-ripper to your configuration.nix file

Build locally

Build native executable

Minimum requirements:

  1. GraalVM 17 with Native Image
  2. Maven
  3. Terminal

Additional OS specific requirements

  • Linux: sudo apt-get update && sudo apt-get install build-essential libz-dev zlib1g-dev -y
  • Mac: xcode-select --install
  • Windows: Visual Studio app
mvn clean install -Pnative-image \
 && ./target/crip print --url=https://youtube.com/

The os native executable binary will be available under the target directory having the file name crip

Build java fat jar

Minimum requirements:

  1. Java 8
  2. Maven
  3. Terminal
mvn clean install \
 && java -jar target/crip.jar print --url=https://youtube.com/

The fat jar will be available under the target directory having the file name crip.jar

CLI Options

Usage: crip [COMMAND]
Commands:
  print             Prints the extracted certificates to the console
  export p12        Export the extracted certificate to a PKCS12/p12 type truststore
  export jks        Export the extracted certificate to a JKS (Java KeyStore) type truststore
  export der        Export the extracted certificate to a binary form also known as DER
  export pem        Export the extracted certificate to a base64 encoded string also known as PEM
  
Usage: crip print
Prints the extracted certificates to the console
  -f, --format              To be printed certificate format. This option is not required. Default is human-readable.
  -u, --url                 Url of the target server to extract the certificates. Can be provided multiple times.
  -t, --timeout             Amount of milliseconds till the ripping should timeout
      --resolve-ca          Indicator to automatically resolve the root ca

Usage: crip export pkcs12
Export the extracted certificate to a PKCS12/p12 type truststore
  -p, --password            TrustStore password. This option is not required. Default is changeit.
  -u, --url                 Url of the target server to extract the certificates. Can be provided multiple times.
  -d, --destination         Destination of the to be stored file. Default is current directory if none is provided.
  -t, --timeout             Amount of milliseconds till the ripping should timeout
      --resolve-ca          Indicator to automatically resolve the root ca
      
Usage: crip export der
Export the extracted certificate to a binary form also known as DER
  -u, --url                 Url of the target server to extract the certificates. Can be provided multiple times.
  -c, --combined            Indicator to either combine all of the certificate into one file for a given url or export into individual files.
  -d, --destination         Destination of the to be stored file. Default is current directory if none is provided.
  -t, --timeout             Amount of milliseconds till the ripping should timeout
      --resolve-ca          Indicator to automatically resolve the root ca

Usage: crip export pem
Export the extracted certificate to a base64 encoded string also known as PEM
  -u, --url                 Url of the target server to extract the certificates. Can be provided multiple times.
  -c, --combined            Indicator to either combine all of the certificate into one file for a given url or export into individual files.
  -d, --destination         Destination of the to be stored file. Default is current directory if none is provided.
      --include-header      Indicator to either omit or include additional information above the BEGIN statement.
  -t, --timeout             Amount of milliseconds till the ripping should timeout
      --resolve-ca          Indicator to automatically resolve the root ca
      
Proxy options applicable for all commands
      --proxy-host          Proxy host
      --proxy-port          Proxy port
      --proxy-password      Password for authenticating the user for the given proxy
      --proxy-user          User for authenticating the user for the given proxy

Example usages

Single export

crip export pkcs12 -u=https://github.com

Bulk export

crip export pkcs12 \
-u=https://youtube.com \
-u=https://github.com \
-u=https://stackoverflow.com \
-u=https://facebook.com

Specify custom truststore destination path

crip export pkcs12 -u=https://github.com -d=/path/to/directory

Print in human-readable format

crip print -u=https://github.com

Print in PEM format

crip print -u=https://github.com -f=pem

Batch print in PEM format

crip print -f=pem \
-u=https://youtube.com \
-u=https://github.com \
-u=https://stackoverflow.com \
-u=https://facebook.com

Extracting behind a proxy

crip export pem \
-u=https://stackoverflow.com \
--proxy-host=my-host.com \
--proxy-port=1234 \
--proxy-user=foo \
--proxy-password

Combining certificates

crip export pem -u=https://github.com --combined=true

Defining custom file name

Works only with the combined option while only specifying a single url.

crip export pem -u=https://github.com --combined=true --destination=/path/to/export/github-chain.crt

Contributing

There are plenty of ways to contribute to this project:

  • Give it a star
  • Share it with a Tweet
  • Submit a PR