IBM Support

QRadar: How to retrieve a certificate from a server with SNI setting

How To


Summary

Server Name Indication (SNI) is an extension to the SSL and TLS protocols that indicates what hostname the client is attempting to connect to at the start of the handshake process. This allows a server to present multiple certificates on the same IP address and port number, it also allows multiple secure (HTTPS) websites to be served off the same IP address and port number, without requiring all those sites to use the same certificate.

Objective

This article provides the steps to obtain the certificate from a server with SNI setting.

Steps

An example for a service with SNI is MaaS360.
Without specifying the server name, the openssl command returns an 'no peer certificate available' error message.
openssl s_client -showcerts -verify 5 -connect services.m3.maas360.com:443 < /dev/null
verify depth is 5
CONNECTED(00000003)
140537535166352:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769:
---
no peer certificate available
---
Administrators use the normal openssl command with the addition of 'servername' option to retrieve the certificate for specific virtual host (services.m3.maas360.com) from the SNI server: 
openssl s_client -connect services.m3.maas360.com:443 -servername services.m3.maas360.com -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > [path_to_certificate_filename]
Result
Administrators are able to save the details of the certificate.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
29 June 2023

UID

ibm17005899