証明書を確認するときによく使うコマンドラインtips

特定のサーバの証明書を確認する

$  openssl s_client -showcerts -connect example.com:443 <<< "Q"
CONNECTED(00000003) 
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Number
s, CN = www.example.org
verify return:1
---
Certificate chain   
 0 s:/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/CN=www.exam
ple.org
   i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
-----BEGIN CERTIFICATE-----
MIIG1TCCBb2gAwIBAgIQD74IsIVNBXOKsMzhya/uyTANBgkqhkiG9w0BAQsFADBP
(snip)

note:

特定のサーバの証明書の中身を閲覧する

opensslコマンドにパイプする

$ openssl s_client -showcerts -connect example.com:443 <<< "Q" 2>/dev/null | openssl 
x509 -inform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0f:be:08:b0:85:4d:05:73:8a:b0:cc:e1:c9:af:ee:c9
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
        Validity
            Not Before: Nov 24 00:00:00 2020 GMT
            Not After : Dec 25 23:59:59 2021 GMT
        Subject: C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names a
nd Numbers, CN = www.example.org
(snip)

有効期限の確認などで便利

$ openssl s_client -showcerts -connect example.com:443 <<< "Q" 2>/dev/null | openssl x509 -inform pem -noout -text | grep GMT | grep Not
            Not Before: Nov 24 00:00:00 2020 GMT
            Not After : Dec 25 23:59:59 2021 GMT

マシンにインストール済みの各証明書の期限を確認する

ca-certificatesでインストール済みの証明書を見てみる

事前準備:

$ go get github.com/atotto/listcert

$ listcert /etc/ssl/certs
/usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt, , 2034-06-29 17:06:20 +0000 UTC
/usr/share/ca-certificates/mozilla/WellsSecure_Public_Root_Certificate_Authority.crt, WellsSecure Public Root Certificate Authority, 2022-12-14 00:07:54 +0000 UTC
/usr/share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt, , 2034-12-20 02:31:27 +0000 UTC
(snip)

refs:

pkcs7の証明書を見てみる

$ openssl pkcs7 -print_certs -in example.p7b