DEV.co
Open-Source Testing · Hakky54

certificate-ripper

Certificate Ripper is a lightweight CLI tool that extracts SSL/TLS certificates from servers without requiring OpenSSL, supporting multiple protocols (HTTPS, WSS, FTPS, SMTPS, IMAPS) and databases (PostgreSQL, MySQL). It offers native executable builds via GraalVM, bulk extraction capabilities, and automatic export to multiple formats (PEM, DER, PKCS12, JKS).

Source: GitHub — github.com/Hakky54/certificate-ripper
919
GitHub stars
77
Forks
Java
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryHakky54/certificate-ripper
OwnerHakky54
Primary languageJava
LicenseApache-2.0 — OSI-approved
Stars919
Forks77
Open issues0
Latest release2.7.1 (2026-03-21)
Last updated2026-06-08
Sourcehttps://github.com/Hakky54/certificate-ripper

What certificate-ripper is

Java-based certificate extraction tool compiled to native binaries using GraalVM Native Image, enabling zero-dependency deployment across macOS, Linux, and Windows. Extracts full certificate chains with optional CA resolution and sibling certificate discovery, supporting proxy authentication and custom timeout configuration for automated certificate inventory and truststore management.

Quickstart

Get the certificate-ripper source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/Hakky54/certificate-ripper.gitcd certificate-ripper# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Automated Certificate Inventory & Compliance Audits

Bulk extract certificates from multiple endpoints in a single command to build and monitor certificate inventories, validate expiration dates, and generate compliance reports without manual OpenSSL invocations.

Development & Testing Certificate Management

Rapidly extract server certificates during development and testing phases to populate local truststores, validate certificate chains, and debug TLS/SSL configuration issues across different services.

CI/CD Pipeline Integration

Distribute as a standalone native binary in deployment pipelines to extract certificates from target services, generate truststore files, and verify certificate validity as part of automated infrastructure provisioning.

Implementation considerations

  • Native binaries are pre-built and distributed in releases, eliminating runtime Java dependency; verify binary availability for your target OS (macOS, Linux, Windows) before deployment.
  • GraalVM Native Image build requires GraalVM 24, Maven, and OS-specific toolchains (build-essential on Linux, Xcode on macOS, Visual Studio on Windows); factor build time into CI/CD pipelines.
  • Tool respects proxy configuration via CLI flags (--proxy-host, --proxy-user, --proxy-password); ensure firewall and proxy rules permit outbound TLS connections to target servers.
  • Extracted certificates are stored in configurable formats and destinations; validate that file permissions and truststore password policies align with organizational security standards.
  • Supports bulk operations via multiple -u flags; performance scales with number of targets and network latency; configure --timeout appropriately for slow or distant endpoints.

When to avoid it — and what to weigh

  • Certificate Generation or Signing Required — This tool only extracts existing certificates from servers; it cannot generate, sign, or create new certificates. Use OpenSSL, cfssl, or cert-manager for certificate creation workflows.
  • Real-time Certificate Monitoring at Scale — Not designed for continuous monitoring of certificate validity across hundreds of endpoints. Consider dedicated certificate management platforms (DigiCert, Venafi) for enterprise-scale monitoring.
  • Private Key Extraction — Tool only retrieves public certificates from TLS handshakes; it cannot extract or access private keys. It is not suitable for key recovery or backup scenarios.
  • Air-gapped Environments Without GraalVM — Requires either pre-built native binary distribution or GraalVM 24 + Maven build tools available in environment; cannot be built or run in strictly isolated offline networks without external dependencies.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license that permits commercial use, modification, and distribution with attribution and indemnification clauses.

Apache-2.0 is a permissive open-source license explicitly allowing commercial use, proprietary integration, and redistribution. No license restrictions prohibit commercial deployment. However, review Apache-2.0 indemnification clauses and ensure compliance with trademark/attribution obligations in your specific commercial context.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool extracts only public certificates retrieved during TLS handshakes; it cannot access private keys, perform cryptographic operations, or validate certificate signatures. Proxy credential flags (--proxy-password) are exposed on command line—avoid in shared/monitored shells; use environment variables or secure credential injection where possible. Verify trusted source of native binaries before deployment. No explicit security audit or vulnerability disclosure policy documented.

Alternatives to consider

OpenSSL (s_client / openssl x509)

Industry standard for certificate extraction; requires external dependency installation; more verbose output and steeper learning curve; slower for bulk operations; available on nearly all Unix-like systems.

cfssl (CloudFlare's PKI toolkit)

Supports certificate generation, signing, and extraction; heavier footprint; designed for PKI management pipelines rather than quick certificate inspection; steeper operational complexity.

curl / wget with openssl post-processing

Minimal additional tools required; can extract certificates from HTTP headers and TLS handshakes; less user-friendly output formatting; requires shell scripting for bulk operations.

Software development agency

Build on certificate-ripper with DEV.co software developers

Download Certificate Ripper for automated certificate inventory, compliance audits, and truststore generation across your infrastructure. Available as native binaries for macOS, Linux, and Windows.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

certificate-ripper FAQ

Can Certificate Ripper extract private keys?
No. The tool only extracts public certificates visible during TLS handshakes. Private keys are never transmitted or accessible via standard TLS connections.
Do I need Java installed to use Certificate Ripper?
No. Pre-built native binaries (compiled via GraalVM Native Image) are distributed for macOS, Linux, and Windows and run without Java runtime. The fat JAR variant requires Java 21+.
How do I use Certificate Ripper behind a corporate proxy?
Pass proxy credentials via CLI flags: --proxy-host, --proxy-port, --proxy-user, --proxy-password. The tool will route TLS connections through the proxy and authenticate automatically.
Can I bulk-extract certificates from multiple endpoints?
Yes. Specify multiple URLs via repeated -u flags: crip export pem -u=https://server1.com -u=https://server2.com -u=https://server3.com. The tool will extract and export all certificates in a single invocation.

Work with a software development agency

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If certificate-ripper is part of your open-source testing roadmap, our team can implement, customize, migrate, and maintain it.

Extract Certificates with Zero Dependencies

Download Certificate Ripper for automated certificate inventory, compliance audits, and truststore generation across your infrastructure. Available as native binaries for macOS, Linux, and Windows.