Displaying a remote SSL certificate details using CLI tools
Solution 1:
You should be able to use OpenSSL for your purpose:
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
That command connects to the desired website and pipes the certificate in PEM format on to another openssl command that reads and parses the details.
(Note that "redundant" -servername
parameter is necessary to make openssl
do a request with SNI support.)
Solution 2:
Simple solution
That's my everyday script:
curl --insecure -vvI https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
Output:
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: www.google.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* start date: Wed, 24 May 2017 17:39:15 GMT
* expire date: Wed, 16 Aug 2017 17:13:00 GMT
* issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* compression: NULL
* ALPN, server accepted to use http/1.1
* Connection #0 to host www.google.com left intact
Solution 3:
nmap -p 443 --script ssl-cert gnupg.org
The -p 443
specifies to scan port 443 only. All ports will be scanned if it is omitted, and the certificate details for any SSL service that is found will be displayed. The --script ssl-cert
tells the Nmap scripting engine to run only the ssl-cert
script. From the doc, this script "(r)etrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level."
Sample output:
Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-01 13:35 PDT
Nmap scan report for gnupg.org (217.69.76.60)
Host is up (0.16s latency).
Other addresses for gnupg.org (not scanned): (null)
rDNS record for 217.69.76.60: www.gnupg.org
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=gnupg.org
| Subject Alternative Name: DNS:gnupg.org, DNS:www.gnupg.org
| Issuer: commonName=Gandi Standard SSL CA 2/organizationName=Gandi/stateOrProvinceName=Paris/countryName=FR
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2015-12-21T00:00:00
| Not valid after: 2018-03-19T23:59:59
| MD5: c3a7 e0ed 388f 87cb ec7f fd3e 71f2 1c3e
|_SHA-1: 5196 ecf5 7aed 139f a511 735b bfb5 7534 df63 41ba
Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds
Solution 4:
Depends on what kind of information you want, but:
openssl s_client -showcerts -connect gnupg.org:443
should give you most, although not as nicely human readable like Chrome presents it.
Solution 5:
For completeness: if you have installed on your system Java 7 or higher
keytool -printcert -sslserver $host[:$port]
shows the chain (as served) with nearly all details in a mostly rather ugly format.
Whether you should have Java installed on your system I do not answer.