Many times, when Engineers are deploying ClearPass or other solutions that use SSL, they find that they need to install the public certificates for the Root and Intermediate CAs for the servers they are connecting to. The issue is simple if they have the certificates of the Intermediate CAs or if these servers are accessible via the web-browser. For example, using the web-browser, you can easily check the website’s supplied certificate information from the web-browser and export the certificates of the CAs and root CAs as needed. This is shown in the below image.
The challenge is how to get the CA certificates for the services that are not using https? One way that I use is using Openssl. Let’s say, you need the CA certificates for your smtp server.
You can simply run openssl with these switches and save the output (BEGIN CERTIFICATE till END CERTIFICATE to a file) as explained below.
openssl s_client -showcerts -connect SERVERNAMEorIP:PORT
openssl s_client -showcerts -connect smtp.mail.yahoo.com:465
Please note that the above command doesn’t return the root CA certificate. To get the Root CA, you need to manually obtain it from the Root CA server if your machine doesn’t have it part of its well-known trusted Root CA certificates.
Please note that there are many options that can be used with openssl s_client command. I recommend to check this link for further details.