Usage — tls-ca-fetch

Flag	Default	Description
-port	443	TLS port to connect to. Can also be passed as a positional argument after the hostname.
-o	<hostname>-ca.pem	Output file path. Pass `-` to write to stdout instead of a file.
-all	off	Save the full chain including the leaf certificate. By default only CA certs are saved.
-fetch-root	off	Chase the AIA (Authority Information Access) extension to download the root CA from the issuer's URL.
-insecure	off	Skip TLS certificate verification. Use this for self-signed or private-CA servers.
-timeout	10	Connection timeout in seconds.
-version	—	Print version and exit.

EXAMPLES

Grab the CA cert from a public site

The simplest invocation. Connects to port 443, walks the chain, and saves the CA cert to hostname-ca.pem.

basic usage

$ tls-ca-fetch github.com

→ Connecting to github.com:443 …

Chain received: 2 certificate(s)
──────────────────────────────────────────────────────────
  [0] leaf              CN=github.com                     IsCA=false
       Issuer : DigiCert TLS Hybrid ECC SHA384 2020 CA1
       Expires: 2026-03-26

  [1] intermediate CA   CN=DigiCert TLS Hybrid ECC SHA384  IsCA=true
       Issuer : DigiCert Global Root CA
       Expires: 2031-04-13
       AIA    : http://cacerts.digicert.com/DigiCertGlobalRootCA.crt
──────────────────────────────────────────────────────────

✓ Saved 1 CA certificate(s) → github.com-ca.pem
  Verified: 1 PEM block(s) readable in output file

Write to stdout — pipe into another tool

Use -o - to emit PEM on stdout and pipe it directly into OpenSSL, curl, or a config generator.

stdout mode

$ tls-ca-fetch -o - internal.corp.example \
    | openssl x509 -noout -subject -issuer -dates

Non-standard port

Pass the port as a flag or as a second positional argument.

custom ports

# flag form
$ tls-ca-fetch -port 8443 internal.example.com

# positional arg form
$ tls-ca-fetch smtp.example.com 587

Fetch the full chain including the leaf

By default the leaf is omitted. Use -all to save every cert in the chain.

full chain

$ tls-ca-fetch -all -o chain.pem api.example.com

Chase AIA to also grab the root CA

-fetch-root follows the AIA URL in the topmost cert and appends the root CA to the output.

AIA root fetch

$ tls-ca-fetch -fetch-root -o full-chain.pem smtp.example.com 587

Private CA / self-signed server

Use -insecure when the server cert isn't publicly trusted — Vault, internal services, dev environments.

private CA

$ tls-ca-fetch -insecure -o my-internal-ca.pem vault.internal

Trust a fetched CA on Linux

Fetch the cert then drop it into the system trust store in one go.

trust store

$ tls-ca-fetch corp-proxy.internal
$ sudo cp corp-proxy.internal-ca.pem \
    /usr/local/share/ca-certificates/corp-proxy.crt
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.

CERTIFICATE ROLES

What each role means

The chain summary labels each cert by its role in the PKI hierarchy.

Role	Meaning	Saved by default?
leaf	End-entity cert presented by the server. Identifies the hostname. `IsCA=false`.	No (use `-all`)
intermediate CA	Signed by the root, signs the leaf. The trust bridge. `IsCA=true`.	Yes
root CA	Self-signed trust anchor. Usually not sent by servers — use `-fetch-root` to retrieve it via AIA.	Only via `-fetch-root`