Check certificate validity for a site; what could be easier? It's a click away if the address of interest is in your browser. Yet, if you want to check expiration dates for multiple endpoints and can't really do it from the browser.
Whenever it comes to the security on the Linux box, you can't avoid OpenSSL. Still, you need to use it twice to get a certificate and then decode it. So, there is a small shell script that could save you some time.
#!/bin/sh
set +x
# Set parameters
hst=$1; shift
if [ $# -ge 1 ]; then
prt=${1:-443}
shift
else
prt=443
fi
# Extract Certificate Text
openssl s_client -connect $hst:$prt $@ 2>/dev/null </dev/null |\
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{print $0}'|\
openssl x509 -noout -text The shell script and description are available on GitHub. The script usage is straightforward, as on the screenshot below.
And never forget about server name indication, aka SNI. If you have a web server with multiple virtual hosts, revers proxy software, or any other network appliance, the same host and port combination may produce different certificates.
Sample calls below to illustrate my point:
# Direct certificate request
$ get-cert.sh 172.168.1.1 443
# some certificate
# And SNI request
$ get-cert.sh 172.168.1.1 443 -servername virtual.server.com
# Completely different certificate