This gist by github user lnattrass gives a python script that is "A terrible way to connect to MS SQL Server and dump the certificate as a PEM" (his wording) in python. Yes, that's not what you asked about, you asked about OpenSSL. But one of the comments says in part
I was able to get the same results using openssl like this: openssl s_client -showcerts -connect <hostname>:<port> </dev/null 2>/dev/null|openssl x509 -outform PEM >dbcertfile.pem as suggested somewhere.

(no clue where "somewhere" would have been.)

I've tried the openssl method but it failed for me:

rpresser@11MTLDEV-L11626:~$ openssl s_client -showcerts -connect mysqlserver.mydomain.com:1433 </dev/null 2>/dev/null|openssl x509 -outform PEM >dbcertfile.pem
unable to load certificate
140246796931520:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

Perhaps this was because the self-signed cert (see below) was not trusted? I'm really not sure.

After fixing one indentation bug, the python method worked for me:

rpresser@11MTLDEV-L11626:/mnt/c/temp$ python3 get_tds_cert.py redacted.domain.COM 1433
# get_tdspacket: 0, tdspacket len: 43
# Header:  {'type': 4, 'status': 1, 'length': 43, 'channel': 0, 'packet': 1, 'window': 0}
# Remaining tdspbuf length: 0

# Starting TLS handshake loop..
# Shaking (0/5)

# get_tdspacket: 0, tdspacket len: 894
# Header:  {'type': 18, 'status': 1, 'length': 894, 'channel': 0, 'packet': 0, 'window': 0}
# Remaining tdspbuf length: 0

# Shaking (1/5)

# get_tdspacket: 0, tdspacket len: 67
# Header:  {'type': 18, 'status': 1, 'length': 67, 'channel': 0, 'packet': 0, 'window': 0}
# Remaining tdspbuf length: 0

# Handshake completed, dumping certificates
-----BEGIN CERTIFICATE-----
MIIB+zCCAWSgAwIBAgIQYc0YElx/YYFF/Q0PIYETxDANBgkqhkiG9w0BAQUFADA7
MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
bABsAGIAYQBjAGswIBcNMjAwMjAyMDQ0NzA5WhgPMjA1MDAyMDIwNDQ3MDlaMDsx
OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
AGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAohSQbug4qZug
ji16iKuNpX4OzGc9DPAORaho8LB2AGinol+rEmcTGRofeIg9zeXMbiOwWbrCnT3/
RUDLOW6V4papZ7H/qIcmVIKdzNCezWMlfPd0h4S00kVovHDIbC1t2uhcDdfEIsh+
fbgzS34bkXNACurtV5t8kpPWYDsRwqsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBr
qfAph+/NF6Cgxisp7UHq9kjQ6sYNCIXfq9mJnRqX+I8H6nxSQfpDlljdvKN3GYeg
SL4jowNL11z5xjpJS9/KhLFwodicWKt0Go/CqusPWJKVJo0HgIn9a1hHPipRbR8w
3+QRy50kaPXm5VOoSg83+CjEg9ri7jfgtWLetq+xoQ==
-----END CERTIFICATE-----

I haven't bothered to redact the certificate because it is the SQL Server self-signed fallback , as displayed by SSLShopper Certificate Decoder

• Certificate Information:
• Common Name: SSL_Self_Signed_Fallback
• Valid From: February 1, 2020
• Valid To: February 1, 2050 Serial Number: 61cd18125c7f618145fd0d0f218113c4

Inspired by the https://gist.github.com/lnattrass/a4a91dbf439fc1719d69f7865c1b1791 with help from https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/1ef08b76-1594-40cf-8ce0-d2407133dd3d

Similar implementation in groovy (java 11) which returns certificate chain from sql server:

groovy sqlserver-cert.groovy <host> <port>

After looking for openssl solutions without sucesss and fighting with the python script without success too (both the initial and the fixed versions throwed an error) i resorted to use nmap, in this case it was quite easy:

nmap -v --script=ssl-cert -p 1433 server.example.com

In the output there should be a certificate such as this (selfsigned cert), you should be able to clean the formatting and use it where you need.

| SHA-1: dba1 14a3 d2c7 9410 0a7a bb8d d08e e1a0 d6a1 9e87
| -----BEGIN CERTIFICATE-----
| MIIB+zCCAWSgAwIBAgIQJW6eoEmJJJJDqpOSmq2W6TANBgkqhkiG9w0BAQUFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjMwMTE4MTEyOTQ5WhgPMjA1MzAxMTgxMTI5NDlaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKxXDgSq1++4
| yDSOmXDO5F2gDa1cW2x4USQOxXq5ux4RObhteo9pVOIDi2TfmKMUl9OTNUqfxiTl
| YJtHmBKP7aghWK5Z9p5VBDfbzmAG04tdII49piocKvdimy96veGWnPUGFdovx35k
| dEOT7+NpQTVIDscsIIDa8csQJmuwgdsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBV
| 0KzioJl5tcvpjG2VK/TTpfAdZnz4MZwhg/ThviRtcV3WLVkKbCOh0A1ljCoURgsX
| HIvYXBHn1XdJn4F8HHeh8B53tjwRYkvxg2jGWfKofr0nAu23rbMv3543UroSH6r2
| 3CeLkgsAwFUcXPUfYwae5L48FKlkD5V2TsOhmy8rvg==
|_-----END CERTIFICATE-----