stealchain This is a utility to extract the verified X.509 chain from a TLS connection. It takes a list of sites on the command line; for each site that it can connect to, it will dump the certificates that the peer actually sent (and not the verified chain that is built from this). It was written to assist in debugging issues with certificate chains. There are a few knobs: -ca allows the trusted CA roots to be specified via a PEM bundle of root certificates. -sni specifies the server name for SNI. This applies to all hosts in the run; if this is run as $ stealchain -sni foo.com foo.com bar.com it will attempt to use "foo.com" as the server name for both hosts. -noverify skips certificate verification. This might be useful for seeing what certificates a server is actually sending. Examples: $ stealchain kyleisom.net [+] wrote kyleisom.net.pem. $ readchain kyleisom.net.pem [+] kyleisom.net.pem: *.kyleisom.net COMODO RSA Domain Validation Secure Server CA $ stealchain google.com microsoft.com apple.com amazon.com [+] wrote google.com.pem. [+] wrote microsoft.com.pem. [+] wrote apple.com.pem. [+] wrote amazon.com.pem.