New get-server-tls-cert command to fetch and optionally install public TLS certs to the system store for one-way SSL

2026-03-30 09:47:35 -06:00
parent d22df65e5b
commit 6b926dfbee
4 changed files with 1508 additions and 1202 deletions
@@ -0,0 +1,16 @@
+# shellcheck disable=SC2154
+declare host="${args[host]}"
+declare port="${args[--port]}"
+declare view_only="${args[--view-only]}"
+declare output_dir="${args[--output-dir]}"
+declare filename="${args[--filename]}"
+
+if [[ "$view_only" == 1 ]]; then
+  openssl s_client -showcerts -connect "${host}:${port}"
+else
+  openssl s_client -showcerts -connect "${host}:${port}" </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' | sudo tee "${output_dir}/${filename:-${host%%.*}}.pem"
+fi
+
+if dpkg -s ca-certificates > /dev/null 2>&1; then
+  sudo update-ca-certificates
+fi
@@ -288,3 +288,45 @@ commands:
              C-->D
              C-->F
          '
+
+  - name: get-server-tls-cert
+    help: |-
+      Retrieve the TLS certificate from a server and save it to a file.
+      If on a debian-based system and 'ca-certificates' is installed, the certificate will be installed into the system's trust store.
+    dependencies:
+      openssl: Install with either 'sudo apt install libssl-dev' or 'brew install openssl@3'
+    args:
+      - name: host
+        help: Domain name or IP address
+        required: true
+    flags:
+      - long: --port
+        short: -p
+        help: The port to connect to
+        arg: port
+        default: '443'
+        validate: port_number
+      - long: --view-only
+        short: -v
+        help: Only print the certificate(s) to stdout
+        conflicts: [--output-dir, --filename]
+      - long: --output-dir
+        short: -d
+        help: |-
+          Write the certificate to a file.
+          Defaults to `/usr/local/share/ca-certificates`.
+        arg: output
+        completions:
+          - <file>
+        conflicts: [--view-only]
+        default: /usr/local/share/ca-certificates
+      - long: --filename
+        short: -f
+        arg: filename
+        help: |-
+          The name of the '.pem' file to save the cert to.
+          By default, it is 'domain.pem'
+        conflicts: [--view-only]
+    examples:
+      - dtools network get-server-tls-cert google.com --port 443
+      - dtools network get-server-tls-cert example.com --output-dir . --filename example.com