Download a Website Certificate

sibelius

Sibelius Seraphini

Posted on July 31, 2024

Download a Website Certificate

Some services use the public certificate of a hostname to validate that it is a valid hostname to send a webhook.

They usually have an endpoint that will accept a public certificate of your webhook endpoint.

We covered some webhook security validations in this article Webhook Security Approaches.

Download the Public certificate of a hostname

We are going to use Node and Typescript to automate this process

const getPeerCertificate = (host: string, port: number = 443) => new Promise<PeerCertificate>((resolve, reject) => {
  const options: tls.ConnectionOptions = {
    host,
    port,
    servername: host,
  };

  const socket = tls.connect(options, () => {
    // Get the peer certificate from the socket
    const peerCertificate = socket.getPeerCertificate();

    if (peerCertificate) {
      resolve(peerCertificate);
      socket.end();

      return;
    }

    reject(new Error('No peer certificate found.'));
    socket.end();
  });

  socket.on('error', (error) => {
    reject(new Error(`Error downloading the certificate: ${error.message}`));
  });
});

const rawCertificateToPem = (raw: Buffer) => {
  const base64Cert = raw.toString('base64');
  const pem = `-----BEGIN CERTIFICATE-----\n${base64Cert.match(/.{0,64}/g)?.join('\n')}-----END CERTIFICATE-----\n`;

  return pem;
}

export const getCertificate = async (hostname: string) => {
  const peerCertificate = await getPeerCertificate(hostname);

  return rawCertificateToPem(peerCertificate.raw);
}
Enter fullscreen mode Exit fullscreen mode

If I want to download the certificate from api.woovi.com, I will use tls to connect to the host: api.woovi.com using port 443 (SSL/TLS) and get the Peer Certificate.
The peer certificate raw is the DER encoded X.509 certificate data.
DER is the binary encoding of X.509 that we want to format to the PEM format the text file format.
To transform we get the base64 representation from the DER format and add \n for every 64 characters and also add -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

The final result is:

-----BEGIN CERTIFICATE-----
MIIDpDCCA0mgAwIBAgIRAOonaWA0CoAaDvhZatlpsvowCgYIKoZIzj0EAwIwOzEL
MAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEMMAoG
A1UEAxMDV0UxMB4XDTI0MDcxMjEwNDAyM1oXDTI0MTAxMDExNDAyMFowHTEbMBkG
A1UEAxMSYXBpLm9wZW5waXguY29tLmJyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEbOcjuqdUV03Mt0BnIb8/YYFBQzJ0Vw9vljmq7C/m47/pP/DUDzXEInXWjW1J
0vZjHn4+HCQ6lOnUxFFKI8cvI6OCAkowggJGMA4GA1UdDwEB/wQEAwIHgDATBgNV
HSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQCnYzY5qTG
XbLEcrZXY/XSR+pIYTAfBgNVHSMEGDAWgBSQd5I1Z8T/qMyp5nvZgHl7zJP5ODBe
BggrBgEFBQcBAQRSMFAwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vLnBraS5nb29nL3Mv
d2UxLzZpYzAlBggrBgEFBQcwAoYZaHR0cDovL2kucGtpLmdvb2cvd2UxLmNydDAd
BgNVHREEFjAUghJhcGkub3BlbnBpeC5jb20uYnIwEwYDVR0gBAwwCjAIBgZngQwB
AgEwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2MucGtpLmdvb2cvd2UxL1IzdXlB
XzBPdEtBLmNybDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AO7N0GTV2xrOxVy3
nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABkKa+jEIAAAQDAEcwRQIgFv1OlplNXUTX
QD3sk4aF7lScuEuJbOZdmjwLrUP8TpcCIQDmIywhuQQbtdvULym/ApG62fn8tu8j
Yt33ZWaaudHQaQB1AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAAB
kKa+jF8AAAQDAEYwRAIgHAKj85a6qLlhpgi8ThDaVUUgEbB97IpkBuUS2kX7tKMC
IDnwVrYcwzUHlUGm5otZCCwuA6Jt0NvWC79+rZGtvKZZMAoGCCqGSM49BAMCA0kA
MEYCIQCgtfTxOGH70X1FilYc5b8ZvD8Op25TqauzB+JUPqDRPQIhAMsiyVUtqT46
2gnvELOa1U6qwP5Ihqw7uUriXV7LExOn
-----END CERTIFICATE-----
Enter fullscreen mode Exit fullscreen mode

You can validate the certificate.pem using openssl command line tool:

openssl x509 -in certificate.pem -noout -text
Enter fullscreen mode Exit fullscreen mode

In Conclusion

At Woovi we are always thinking about how can we automate all this manual work.
Every single automation makes us more productive and we can focus on what matters, generating real value for our customers.

Using a public certificate to validate to whom send a request and from whom you are receiving a request is a great security approach as you don't need to share any secrets. There is no secrets to leak.


Woovi
Woovi is a Startup that enables shoppers to pay as they like. Woovi provides instant payment solutions for merchants to accept orders to make this possible.

If you want to work with us, we are hiring!

💖 💪 🙅 🚩
sibelius
Sibelius Seraphini

Posted on July 31, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related