FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lestopace
Staff
Staff
Article Id 221235
Description This article describes how to extract certificates from SSL/TLS handshake(i.e. https, eap-tls negotiation, etc) packet capture using Wireshark.
Scope FortiGate
Solution

1) Start capture and enable filters in GUI -> Network -> Packet Capture.

 

lestopace_2-1660897435280.png

 

2) Download the capture and open it on Wireshark.

 

3) From Wireshark, use the filter: tls.handshake.type eq 11

This will filter all packets that contains the certificate. Additionally, one might need to add specific destination IP among the others.

 

lestopace_3-1660897880217.png

 

4) Select the packet that contains the certificate that needs to be downloaded and Select Transport Layer Security -> TLSv1.X Record Layer -> Handshake Protocol: Certificate -> Certificates

 

lestopace_4-1660898037511.png

 

5). Right click on the Certificate that needs to be downloaded, then select 'Export Packet Bytes'.

 

lestopace_5-1660898186427.png

 

6) Select the desired folder location, set the file name with .cer or .crt file extension, and make sure that type is set as All Files.

 

lestopace_6-1660898318258.png

 

7) Extraction the certificate from a pcap file is completed now.

 

lestopace_7-1660898615802.png

  lestopace_8-1660898629476.png

 

Sample from eap-tls over radius capture:

 

lestopace_1-1660956889341.png

 

Contributors