Extract CA certificates from any TLS server. One command, zero dependencies, cross-platform binary.
Pure Go stdlib โ no OpenSSL, no Python, no brew installs. Drop the single static binary anywhere and run it. Works on Linux, macOS, and Windows without any runtime or shared library.
Shows every certificate in the TLS chain: the leaf (server cert), any intermediate CAs, and the root CA if it's present. Each cert's role, issuer, expiry, and AIA URL are printed at a glance.
Servers almost never send the root CA โ it's assumed to be in your OS trust store. With -fetch-root, tls-ca-fetch follows the AIA extension URL to download the root automatically.
Drop the binary on your PATH and point it at any host.
# Basic โ saves google.com-ca.pem tls-ca-fetch google.com # Custom port tls-ca-fetch example.com 8443 # Fetch root CA via AIA URL tls-ca-fetch -fetch-root example.com # Private / self-signed server tls-ca-fetch -insecure internal.corp 8443 # Save full chain (leaf + CAs) tls-ca-fetch -all example.com
Running against google.com โ shows the full chain with roles identified automatically.
โ Connecting to google.com:443 โฆ Chain received: โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ [0] leaf CN=*.google.com IsCA=false Issuer : WR2 Expires: 2026-06-22 AIA : http://i.pki.goog/wr2.crt [1] intermediate CA CN=WR2 IsCA=true Issuer : GTS Root R1 Expires: 2029-02-20 [2] intermediate CA CN=GTS Root R1 IsCA=true Issuer : GlobalSign Root CA Expires: 2028-01-28 โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ Saved 2 CA certificates โ google.com-ca.pem Verified: 2 PEM block(s) readable in output file