How to Retrieve Full SSL Certificate Details from Command Line (cURL/OpenSSL Examples)


3 views

When examining SSL certificates in Chrome, you get rich details including issuer chain, validity periods, and cryptographic fingerprints. However, basic cURL commands only show limited certificate information:

curl -vvI https://example.com
* Server certificate: example.com
* Server certificate: Intermediate CA
* Server certificate: Root CA

The most comprehensive approach is using OpenSSL's s_client command:

openssl s_client -connect example.com:443 -servername example.com -showcerts 2>/dev/null | openssl x509 -noout -text

This command provides:

  • Full certificate chain
  • Validity dates
  • Subject/issuer details
  • Public key algorithm
  • Extensions (SAN, Key Usage, etc.)
  • Fingerprints

For JSON-formatted certificate data:

curl --cert-status -v https://example.com 2>&1 | awk '/^* SSL connection/,/^* Server certificate/{print}'

Or to save the certificate to a file:

openssl s_client -connect example.com:443 2>/dev/null  cert.pem

For systems with gnutls-cli installed:

gnutls-cli --print-cert example.com -p 443

Combine openssl with date commands to check expiration:

openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Or for machine-readable format:

openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2 | xargs -I {} date -d {} +%s

To examine each certificate in the chain separately:

openssl s_client -connect example.com:443 -showcerts /dev/null | awk '/BEGIN CERT/{out="cert"++i".pem"}; {print > out}'

Then inspect individual files with:

openssl x509 -in cert1.pem -noout -text

While cURL's -v flag shows basic SSL certificate information during connections, it doesn't display the full certificate details like Chrome's certificate viewer. Here's how to get comprehensive certificate information from the command line.

The most powerful tool for certificate examination is OpenSSL. This command retrieves and displays the full certificate:

openssl s_client -connect gnupg.org:443 -servername gnupg.org | openssl x509 -noout -text

This gives you:

  • Issuer and subject details
  • Validity periods
  • Public key information
  • Extensions (including SANs)
  • Signature algorithm

You can query specific fields using OpenSSL:

# Get expiration date
openssl s_client -connect gnupg.org:443 -servername gnupg.org 2>/dev/null | openssl x509 -noout -dates

# Get issuer information
openssl s_client -connect gnupg.org:443 -servername gnupg.org 2>/dev/null | openssl x509 -noout -issuer

# Get subject alternative names
openssl s_client -connect gnupg.org:443 -servername gnupg.org 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"

While cURL doesn't show full details by default, you can get more information with:

curl --cert-status -vI https://gnupg.org 2>&1 | grep -A6 "certificate"

For even more details, combine cURL with OpenSSL:

curl -sIv https://gnupg.org 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\* Server certificate:/ { cert=2 } /^\*/ { if (cert) print }'

To view the complete certificate chain:

openssl s_client -showcerts -connect gnupg.org:443 -servername gnupg.org

This shows all intermediate certificates in the chain, which is particularly useful for debugging trust issues.

For scripting purposes, here's how to check if a certificate will expire soon:

#!/bin/bash
HOST="gnupg.org"
PORT=443

end_date=$(openssl s_client -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
end_epoch=$(date -d "$end_date" +%s)
now_epoch=$(date +%s)
days_left=$(( (end_epoch - now_epoch) / 86400 ))

echo "Certificate for $HOST expires in $days_left days on $end_date"

Other useful command-line tools for certificate inspection:

  • nmap --script ssl-cert -p 443 gnupg.org
  • gnutls-cli --print-cert gnupg.org
  • sslyze --certinfo gnupg.org