Read Contents Of SSL Cert From The Command Line

4th January 2019 - 2 minutes read time

Whilst it is possible to view the contents of an SSL cert from within most modern browsers I occasionally find the need to use the command line to find out the same information. I find this useful when renewing certificates as browsers can occasionally cache certificates for longer than expected, causing false results.

The following command connects to the server, downloads the SSL certificate from port 443 and then uses the openssl tool to extract the information from the certificate into a readable format.

echo | openssl s_client -showcerts -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -inform pem -noout -text

This produces the following output.

  1. Certificate:
  2.     Data:
  3.         Version: 3 (0x2)
  4.         Serial Number:
  5.             0f:d0:78:dd:48:f1:a2:bd:4d:0f:2b:a9:6b:60:38:fe
  6.     Signature Algorithm: sha256WithRSAEncryption
  7.         Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
  8.         Validity
  9.             Not Before: Nov 28 00:00:00 2018 GMT
  10.             Not After : Dec  2 12:00:00 2020 GMT
  11.         Subject: C=US, ST=California, L=Los Angeles, O=Internet Corporation for Assigned Names and Numbers, OU=Technology, CN=www.example.org
  12.         Subject Public Key Info:
  13.             Public Key Algorithm: rsaEncryption
  14.                 Public-Key: (2048 bit)
  15.                 Modulus:
  16.                     00:d0:f0:12:74:a0:96:20:72:08:65:19:12:5a:5d:
  17.                     4a:d0:3a:8c:66:8f:a0:29:2b:a7:db:d5:ac:0c:cf:
  18.                     a5:71:92:15:42:15:b0:07:92:76:31:75:d7:27:8e:
  19.                     4d:50:6a:75:d1:7b:53:5e:27:aa:ed:eb:a4:60:3a:
  20.                     f2:8e:45:18:6b:45:33:5c:85:11:aa:20:12:fe:60:
  21.                     ac:9d:4c:45:8f:dd:d3:0e:3e:77:0f:09:c2:85:65:
  22.                     34:c7:22:fb:74:13:b9:42:9f:f7:21:f6:f0:9c:44:
  23.                     74:6d:c9:df:b3:1f:8f:60:b7:71:11:06:90:63:41:
  24.                     9d:8f:34:7b:24:49:46:ac:f2:f0:8d:0b:48:f4:d3:
  25.                     92:1a:f7:a2:45:ee:cc:e5:d7:83:7f:2e:82:bd:71:
  26.                     dd:28:19:58:33:6e:11:a1:3a:a0:6a:72:60:92:01:
  27.                     59:9f:63:17:7a:49:42:7b:9c:3f:db:d3:05:e8:cc:
  28.                     87:7e:f8:aa:fc:9d:d1:05:50:ab:75:b1:1e:ba:20:
  29.                     cb:89:d4:6d:6c:37:82:28:4c:c5:3f:7c:c1:10:f5:
  30.                     a0:a5:66:6b:53:53:c9:db:ed:85:c3:6d:05:f8:64:
  31.                     a7:c9:0e:eb:8f:e1:c4:b1:eb:2d:68:0e:15:3f:e5:
  32.                     e2:dc:fc:21:64:2d:ee:69:2b:04:78:db:77:65:cb:
  33.                     54:f9
  34.                 Exponent: 65537 (0x10001)
  35.         X509v3 extensions:
  36.             X509v3 Authority Key Identifier:
  37.                 keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2
  38.  
  39.             X509v3 Subject Key Identifier:
  40.                 66:98:62:02:E0:09:91:A7:D9:E3:36:FB:76:C6:B0:BF:A1:6D:A7:BE
  41.             X509v3 Subject Alternative Name:
  42.                 DNS:www.example.org, DNS:example.com, DNS:example.edu, DNS:example.net, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net
  43.             X509v3 Key Usage: critical
  44.                 Digital Signature, Key Encipherment
  45.             X509v3 Extended Key Usage:
  46.                 TLS Web Server Authentication, TLS Web Client Authentication
  47.             X509v3 CRL Distribution Points:
  48.  
  49.                 Full Name:
  50.                   URI:http://crl3.digicert.com/ssca-sha2-g6.crl
  51.  
  52.                 Full Name:
  53.                   URI:http://crl4.digicert.com/ssca-sha2-g6.crl
  54.  
  55.             X509v3 Certificate Policies:
  56.                 Policy: 2.16.840.1.114412.1.1
  57.                   CPS: https://www.digicert.com/CPS
  58.                 Policy: 2.23.140.1.2.2
  59.  
  60.             Authority Information Access:
  61.                 OCSP - URI:http://ocsp.digicert.com
  62.                 CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
  63.  
  64.             X509v3 Basic Constraints: critical
  65.                 CA:FALSE
  66.             1.3.6.1.4.1.11129.2.4.2:
  67.                 ...k.i.w.......X......gp
  68. .....g\1.F.....H0F.!..d..!...H.v.K.F.W'..{.;.JWBl...l.!.....0.d..L|nXSW....EO..F..p...BB.v..u..Y|..C._..n.V.GV6.J.`....^......g\1.......G0E. [email protected]/..f.._s.H.P..!....H.....D%.<...+.|..'{..X....JN.v.oSv.1.1.....Q..w.....}..c).-. MwZ.I.J.h..a... .1....q.C.....O...z....D;....
  69. [.V.=,r.
  70.     Signature Algorithm: sha256WithRSAEncryption
  71.          73:70:85:ef:40:41:a7:6a:43:d5:78:9c:7b:55:48:e6:bc:6b:
  72.          99:86:ba:fb:0d:03:8b:78:fe:11:f0:29:a0:0c:cd:69:14:0b:
  73.          c6:04:78:b2:ce:f0:87:d5:01:9d:c4:59:7a:71:fe:f0:6e:9e:
  74.          c1:a0:b0:91:2d:1f:ea:3d:55:c5:33:05:0c:cd:c1:35:18:b0:
  75.          6a:68:66:4c:bf:56:21:da:5b:d9:48:b9:8c:35:21:91:5d:dc:
  76.          75:d7:7a:46:2c:22:27:a6:6f:d3:3a:17:eb:be:bd:13:c5:12:
  77.          26:73:c0:5d:a3:35:89:6a:fb:27:d4:dd:aa:74:74:2e:37:e5:
  78.          01:3b:a6:d0:30:b0:83:d0:a1:c4:75:21:85:b2:e5:fa:67:00:
  79.          30:a2:bc:53:83:4d:bf:d6:a8:83:bb:bc:d6:ed:1c:b3:1e:f1:
  80.          58:03:82:00:8e:9c:ef:90:f2:1a:5f:a2:a3:06:da:5d:be:9f:
  81.          da:5d:a6:e6:2f:de:58:80:18:d3:f1:62:7b:a6:a3:9f:ae:a8:
  82.          69:72:63:81:65:ae:82:83:a3:b5:97:8a:9b:20:51:ff:1a:3f:
  83.          61:40:1e:48:d0:6b:38:f9:e1:fa:17:d8:77:4a:88:e6:3d:36:
  84.          24:4f:ef:0a:b9:9f:70:f3:83:27:f8:cf:2a:05:75:10:a1:8a:
  85.          0a:80:88:cd

 

command line

Add new comment

The content of this field is kept private and will not be shown publicly.

Related Content

Repointing A Symlink To A Different Location

10th December 2020
​Creating a symlink is a common way of ensuring that the directory structure of a deployment will always be the same. For example you might create a symlink so that the release directory of release123/docroot will instead be just current. This is done using the ln command in the following way, the -s flag means that we use the ln (aka link) command to create a symbolic link.

Read more.

Finding My Most Commonly Used Commands On Linux

28th November 2020

I'm a proponent of automation, so when I find myself running the same commands over and over I always look for a way of wrapping that in an alias or script.

I spend a lot of my day to day job in the command line and I realised today that I must have typed 'git status' for the millionth time and wondered what my most commonly used commands were. So I found a stack overflow post showing my most used commands in a nice little bash one liner.

Read more.

Grep Context

27th June 2020

Grep is a really powerful tool for finding things in files. I often use it to scan for plugins in the Drupal codebase or to scan through a CSV or log file for data.

For example, to scan for user centric ViewsFilter plugins in the Drupal core directory use this command (assuming you are relative to the core directory).

grep "@ViewsFilter(\"user" -r core

The -r flag here recursively scans the 'core' directory. This command returns the following output.

Read more.

Overwriting Command Line Output With PHP

12th April 2020

The other day I was trying to print some output to the command line and then overwrite the output afterwards. It turns out that there are a couple of ways to do this so I thought I would detail a few of them here.

By far the simplest way of doing this is to run the "clear" command, which we can run via the system() function in PHP. This will clear the output of the command line ready for you to print out whatever you need. The downside to this is that the entire terminal window is cleared. Another downside is that once the output is complete scrolling up will reveal the output that was cleared out.

Read more.

Checking Domain TTL Values

4th January 2019

Part of the process of putting a new site live can be moving DNS entries around. Prior to doing this it's a really good idea to sort out the Time To Live (TTL) of the DNS record so that when you do change DNS entries you aren't waiting around for a day for the DNS to sort itself out. Most DNS registrars will allow you to set your TTL down to a minute or so.

It's also very important to check the status of your DNS records to ensure that they have the correct TTL, usually a day before (and day of) the move.

Read more.