Skip to Content

How to Extract SSL Server certificate from PCAP file

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to extract an SSL server certificate from a PCAP file.

Scope

FortiGate.

Solution

Notes:

  1. The PCAP file must include the ‘packet data’. Crosscheck the ‘verbose’ filter option when capturing the SSL handshake connection so that it includes the ‘packet data’. In this example, verbose 6 is used.
  2. TLS 1.3 is not supported because it is by designed that TLS 1.3 will encrypt the server certificate. For more information, you can refer to the following link: TLS 1.3: An Overview of Benefits and Risks.
  3. The sample website used here will be ‘https://badssl.com/’.
  4. Make sure Wireshark software is installed.

The following are the steps to extract the SSL server certificate from a PCAP file:

Step 1: Locate the ‘Server Hello’ or the data packet which has the ‘certificate’.

Locate the 'Server Hello' or the data packet which has the 'certificate'.

Step 2: ‘Right-click’ and select ‘Export packet bytes’.

'Right-click' and select 'Export packet bytes'.

Step 3: Select type as ‘All Files’ and rename as ‘YourCertName.der’.

Select type as 'All Files' and rename as 'YourCertName.der'.

Step 4: Once it is successful, just open the .der file to check.

Once it is successful, just open the .der file to check.