Skip to content

binRick/tls-ca-fetch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

10 Commits
.github/workflows
.github/workflows
Β 
Β 
docs
docs
Β 
Β 
Makefile
Makefile
Β 
Β 
README.md
README.md
Β 
Β 
build.sh
build.sh
Β 
Β 
go.mod
go.mod
Β 
Β 
main.go
main.go
Β 
Β 

Repository files navigation

tls-ca-fetch logo

tls-ca-fetch

Extract CA certificates from any TLS server β€” one command, no OpenSSL gymnastics.

Platform Language License Arch

tls-ca-fetch connects to a hostname over TLS, walks the certificate chain the server presents, and writes the CA certificate(s) to a PEM file. It can also chase the AIA extension to fetch the root CA directly from the issuer's URL. Zero dependencies, single static binary.

tls-ca-fetch demo
Certificate chain diagram

✨ Features

  • πŸ”’ One command β€” tls-ca-fetch github.com writes github.com-ca.pem, done
  • πŸ”— Full chain inspection β€” prints every cert's role, CN, issuer, expiry, and AIA URL
  • 🌿 AIA chasing (-fetch-root) β€” follows the Authority Information Access URL to also grab the root CA
  • πŸ“‹ Stdout mode (-o -) β€” pipe directly into openssl, keytool, or any other tool
  • πŸ–₯️ Cross-platform β€” Linux, macOS, Windows; amd64 and arm64
  • πŸ“¦ Single static binary, zero runtime dependencies

πŸ“‹ Requirements

Requirement Notes
Go 1.22+ Only needed if building from source
Network access to target host TCP port 443 (or custom with -port)
No root required Pure userspace TLS dial

πŸ”¨ Install

Download a pre-built binary

# Linux (amd64)
curl -Lo tls-ca-fetch https://github.com/binRick/tls-ca-fetch/raw/main/releases/v1.0.0/tls-ca-fetch-linux-amd64
chmod +x tls-ca-fetch
sudo mv tls-ca-fetch /usr/local/bin/

# macOS (Apple Silicon)
curl -Lo tls-ca-fetch https://github.com/binRick/tls-ca-fetch/raw/main/releases/v1.0.0/tls-ca-fetch-darwin-arm64
chmod +x tls-ca-fetch
sudo mv tls-ca-fetch /usr/local/bin/

# macOS (Intel)
curl -Lo tls-ca-fetch https://github.com/binRick/tls-ca-fetch/raw/main/releases/v1.0.0/tls-ca-fetch-darwin-amd64
chmod +x tls-ca-fetch
sudo mv tls-ca-fetch /usr/local/bin/

# Windows (amd64) β€” download and add to PATH
# releases/v1.0.0/tls-ca-fetch-windows-amd64.exe

Build from source

Requires Go 1.22+.

git clone https://github.com/binRick/tls-ca-fetch.git
cd tls-ca-fetch
make build          # β†’ ./tls-ca-fetch

Cross-compile all platforms

make cross          # β†’ releases/v1.0.0/tls-ca-fetch-{linux,darwin,windows}-{amd64,arm64}

Or via Docker (no local Go needed):

./build.sh

πŸš€ Usage

tls-ca-fetch [flags] <hostname> [port]

🏳️ Flags

Flag Default Description
-port 443 TLS port to connect to
-o <hostname>-ca.pem Output file path (- for stdout)
-all off Save full chain including leaf certificate
-fetch-root off Chase AIA extension to fetch root CA
-insecure off Skip TLS certificate verification
-timeout 10 Connection timeout in seconds
-version β€” Print version and exit

πŸ“– Examples

Grab the CA cert from a public site

tls-ca-fetch github.com
β†’ Connecting to github.com:443 …

Chain received: 2 certificate(s)
──────────────────────────────────────────────────────────────────────
  [0] leaf             CN=github.com                             IsCA=false
       Issuer : DigiCert TLS Hybrid ECC SHA384 2020 CA1
       Expires: 2026-03-26

  [1] intermediate CA  CN=DigiCert TLS Hybrid ECC SHA384 2020   IsCA=true
       Issuer : DigiCert Global Root CA
       Expires: 2031-04-13
       AIA    : http://cacerts.digicert.com/DigiCertGlobalRootCA.crt
──────────────────────────────────────────────────────────────────────

βœ“ Saved 1 CA certificate(s) β†’ github.com-ca.pem
  Verified: 1 PEM block(s) readable in output file

Write to stdout (pipe into another tool)

tls-ca-fetch -o - internal.corp.example | openssl x509 -noout -text

Fetch the full chain including the leaf

tls-ca-fetch -all -o chain.pem api.example.com

Chase AIA to also grab the root CA

tls-ca-fetch -fetch-root -o full-chain.pem smtp.example.com 587

Non-standard port

# Port as flag
tls-ca-fetch -port 8443 internal.example.com

# Port as positional arg
tls-ca-fetch internal.example.com 8443

Self-signed / private CA server

tls-ca-fetch -insecure -o my-internal-ca.pem vault.internal

Trust a fetched CA immediately (Linux)

tls-ca-fetch corp-proxy.internal
sudo cp corp-proxy.internal-ca.pem /usr/local/share/ca-certificates/corp-proxy.crt
sudo update-ca-certificates

βš™οΈ How it works

  1. Opens a raw TLS connection to hostname:port
  2. Reads the PeerCertificates slice from the TLS handshake state β€” no HTTP, no SNI tricks needed
  3. Prints a summary of every certificate in the chain (role, CN, issuer, expiry, AIA URL)
  4. Filters out the leaf cert (unless -all) and writes remaining CA certs as concatenated PEM blocks
  5. If -fetch-root is set, fetches the DER cert at the topmost certificate's AIA URL, parses it, and appends it to the output

🏷️ Certificate roles

Role Meaning
leaf End-entity cert β€” presented by the server, not saved by default
intermediate CA Signed by the root, signs the leaf β€” saved
root CA Self-signed, trust anchor β€” only included via -fetch-root or if the server sends it

πŸ“¦ Building releases

The build.sh script uses a Docker golang:1.22-alpine container for reproducible, CGO-disabled, stripped binaries without needing Go on the host:

VERSION=v1.1.0 ./build.sh

Output lands in releases/v1.1.0/.

πŸ”— See also

  • proc-trace-exec β€” trace exec() calls system-wide via Linux proc connector
  • proc-trace-net β€” trace network connections system-wide via Linux conntrack

πŸ“„ License

MIT

About

TLS CA Fetcher

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v1.0.2 Latest
Apr 17, 2026
+ 2 releases

Packages

 
 
 

Contributors

Languages