Using tshark you can get a hexdump for every certificate in a pcap using this command:
tshark -n -Tfields -e tls.handshake.certificate -Y tls.handshake.certificate -r $pcapfile
A TLS certificate message may contain multiple certificates. To split them up, one per line, pipe the output of tshark through the command tr , '\n'
.
And to deduplicate the certificates found pipe the output through sort -u
command.
Next step is to convert the hexdump into a useful format. For example by converting into DER format by piping the output to this Perl script:
#!/bin/perl
use strict;
my $count = 0;
while (<>) {
open(FH, '>', sprintf("cert%03d.cer", ++$count)) or die $!;
print FH (pack "H*", $_);
close(FH);
}
print "Converted $count certs\n";