Quick Certificate Validation

Quick Certificate Validation

Check certificate validity for a site; what could be easier? It's a click away if the address of interest is in your browser. Yet, if you want to check expiration dates for multiple endpoints and can't really do it from the browser.

Whenever it comes to the security on the Linux box, you can't avoid OpenSSL. Still, you need to use it twice to get a certificate and then decode it. So, there is a small shell script that could save you some time.

#!/bin/sh
set +x
# Set parameters
hst=$1; shift
if [ $# -ge 1 ]; then
 prt=${1:-443}
 shift
else
 prt=443 
fi
# Extract Certificate Text
openssl  s_client -connect $hst:$prt $@ 2>/dev/null </dev/null  |\
 awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{print $0}'|\
 openssl x509 -noout -text 

The shell script and description are available on GitHub. The script usage is straightforward, as on the screenshot below.

Site certificate in text 

And never forget about server name indication, aka SNI. If you have a web server with multiple virtual hosts, revers proxy software, or any other network appliance, the same host and port combination may produce different certificates.
Sample calls below to illustrate my point:

# Direct certificate request 
$ get-cert.sh 172.168.1.1 443 
# some certificate 
# And SNI request 
$ get-cert.sh 172.168.1.1 443 -servername virtual.server.com
# Completely different certificate