Get server's certificate information.
For Mac it provide Homebrew integration. Please install like following.
$ brew tap genkiroid/homebrew-cert
$ brew install cert
For other platforms, Precompiled binaries for released versions are available in the releases page.
Or go install
.
$ go install github.com/genkiroid/cert/cmd/cert@latest
Give domain names as arguments.
$ cert github.com google.co.jp
DomainName: github.com
IP: 192.30.255.113
Port: 443
Issuer: DigiCert SHA2 Extended Validation Server CA
NotBefore: 2016-03-10 09:00:00 +0900 JST
NotAfter: 2018-05-17 21:00:00 +0900 JST
CommonName: github.com
SANs: [github.com www.github.com]
Error:
DomainName: google.co.jp
IP: 216.58.196.227
Port: 443
Issuer: Google Internet Authority G3
NotBefore: 2017-10-17 19:59:51 +0900 JST
NotAfter: 2018-01-09 19:00:00 +0900 JST
CommonName: *.google.co.jp
SANs: [*.google.co.jp google.co.jp]
Error:
You can specify port number. So you can get server certificate information of not only web server but also mail server and others.
$ cert github.com google.co.jp:443 imap.gmail.com:993
DomainName: github.com
IP: 192.30.255.113
Port: 443
Issuer: DigiCert SHA2 Extended Validation Server CA
NotBefore: 2016-03-10 09:00:00 +0900 JST
NotAfter: 2018-05-17 21:00:00 +0900 JST
CommonName: github.com
SANs: [github.com www.github.com]
Error:
DomainName: google.co.jp
IP: 172.217.27.163
Port: 443
Issuer: Google Internet Authority G3
NotBefore: 2017-10-17 19:59:51 +0900 JST
NotAfter: 2018-01-09 19:00:00 +0900 JST
CommonName: *.google.co.jp
SANs: [*.google.co.jp google.co.jp]
Error:
DomainName: imap.gmail.com
IP: 64.233.188.108
Port: 993
Issuer: Google Internet Authority G2
NotBefore: 2017-10-17 19:10:29 +0900 JST
NotAfter: 2017-12-29 09:00:00 +0900 JST
CommonName: imap.gmail.com
SANs: [imap.gmail.com]
Error:
$ cert --help
Usage of cert:
-c string
Specify cipher suite. Refer to https://golang.org/pkg/crypto/tls/#pkg-constants for supported cipher suites.
-cipher string
Specify cipher suite. Refer to https://golang.org/pkg/crypto/tls/#pkg-constants for supported cipher suites.
-f string
Output format. md: as markdown, json: as JSON. (default "simple table")
-format string
Output format. md: as markdown, json: as JSON. (default "simple table")
-k Skip verification of server's certificate chain and host name.
-s int
Timeout seconds. (default 3)
-skip-verify
Skip verification of server's certificate chain and host name.
-t string
Output format as Go template string or Go template file path.
-template string
Output format as Go template string or Go template file path.
-timeout int
Timeout seconds. (default 3)
-u Use UTC to represent NotBefore and NotAfter.
-utc
Use UTC to represent NotBefore and NotAfter.
-v Show version.
-version
Show version.
Use cert -f json
.
$ cert -f json github.com | jq .
[
{
"DomainName": "github.com",
"IP": "192.30.255.112",
"Port": "443",
"Issuer": "DigiCert SHA2 Extended Validation Server CA",
"CommonName": "github.com",
"SANs": [
"github.com",
"www.github.com"
],
"NotBefore": "2016-03-10 09:00:00 +0900 JST",
"NotAfter": "2018-05-17 21:00:00 +0900 JST",
"Error": ""
}
]
Use cert -f md
.
$ cert -f md github.com
DomainName | IP | Port | Issuer | NotBefore | NotAfter | CN | SANs | Error
--- | --- | --- | --- | --- | --- | --- | --- | ---
github.com | 192.30.255.113 | 443 | DigiCert SHA2 Extended Validation Server CA | 2016-03-10 09:00:00 +0900 JST | 2018-05-17 21:00:00 +0900 JST | github.com | github.com<br/>www.github.com<br/> |
DomainName | IP | Port | Issuer | NotBefore | NotAfter | CN | SANs | Error |
---|---|---|---|---|---|---|---|---|
github.com | 192.30.255.113 | 443 | DigiCert SHA2 Extended Validation Server CA | 2016-03-10 09:00:00 +0900 JST | 2018-05-17 21:00:00 +0900 JST | github.com | github.com www.github.com |
Use cert -t
.
By direct string.
$ cert -t "{{range .}}{{.Issuer}}{{end}}" github.com
DigiCert SHA2 Extended Validation Server CA
By template file.
$ cat /tmp/cert_templ
{{range .}}{{range .CertChain}}Issuer: {{.Issuer.CommonName}}
{{end}}{{end}}
$
$ cert -t /tmp/cert_templ github.com
Issuer: DigiCert SHA2 Extended Validation Server CA
Issuer: DigiCert High Assurance EV Root CA
see #13
You can specify cipher suite. As a result, you can get the information of each certificate.
Note that the issuers are different in the following example.
# Get information of the certificate using RSA signature/public key algorithm.
$ cert -cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 cloudflaressl.com
DomainName: cloudflaressl.com
IP: 104.20.47.142
Port: 443
Issuer: COMODO RSA Domain Validation Secure Server CA 2
NotBefore: 2019-08-23 09:00:00 +0900 JST
NotAfter: 2020-03-01 08:59:59 +0900 JST
CommonName: ssl509631.cloudflaressl.com
SANs: [ssl509631.cloudflaressl.com *.cloudflaressl.com cloudflaressl.com]
Error:
# Get information of the certificate using ECDSA signature/public key algorithm.
$ cert -cipher TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 cloudflaressl.com
DomainName: cloudflaressl.com
IP: 104.20.48.142
Port: 443
Issuer: COMODO ECC Domain Validation Secure Server CA 2
NotBefore: 2019-08-23 09:00:00 +0900 JST
NotAfter: 2020-03-01 08:59:59 +0900 JST
CommonName: ssl509632.cloudflaressl.com
SANs: [ssl509632.cloudflaressl.com *.cloudflaressl.com cloudflaressl.com]
Error:
If you specify a cipher suite, the maximum TLS version used is limited to TLS1.2. This is because if the server supports TLS1.3, the specified cipher suite is ignored and communication is performed using TLS1.3. This eliminates the meaning of specifying a cipher suite and confuses us. This specification will change when the cipher suite for Tls1.3 becomes configurable in Go.