使用CLI工具显示远程SSL证书详细信息

在Chrome中,点击绿色的HTTPSlocking图标将打开一个包含证书详细信息的窗口:

在这里输入图像描述

当我用cURL试过时,我只得到了一些信息:

$ curl -vvI https://gnupg.org * Rebuilt URL to: https://gnupg.org/ * Hostname was NOT found in DNS cache * Trying 217.69.76.60... * Connected to gnupg.org (217.69.76.60) port 443 (#0) * TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA * Server certificate: gnupg.org * Server certificate: Gandi Standard SSL CA * Server certificate: UTN-USERFirst-Hardware > HEAD / HTTP/1.1 > User-Agent: curl/7.37.1 > Host: gnupg.org > Accept: */* 

任何想法如何获得完整的证书信息形成一个命令行工具(cURL或其他)?

你应该可以使用OpenSSL来达到你的目的:

 echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text 

该命令连接到所需的网站,并将证书以PEM格式传递到另一个读取和parsing详细信息的openssl命令。

(请注意,“冗余” -servername参数对于使openssl执行具有SNI支持的请求是必需的。)

这是我的日常脚本:

 curl --insecure -v https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }' 

输出:

 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification SKIPPED * server certificate status verification SKIPPED * common name: www.google.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com * start date: Wed, 24 May 2017 17:39:15 GMT * expire date: Wed, 16 Aug 2017 17:13:00 GMT * issuer: C=US,O=Google Inc,CN=Google Internet Authority G2 * compression: NULL * ALPN, server accepted to use http/1.1 * Connection #0 to host www.google.com left intact 

取决于你想要什么样的信息,但是:

 openssl s_client -showcerts -connect gnupg.org:443 

应该给你最多,虽然不像Chrome浏览器那样可读性好。

要检查SSL证书的详细信息,我使用以下命令行工具,因为它变得可用:

https://github.com/azet/tls_tools

仔细检查你的所有信息都是正确的,可以重新颁发证书或validation现有的证书,也可以作为很less的依赖关系而且不需要设置。

这是输出的前几行的样子:

 $ ./check_certificate_chain.py gnupg.org 443 >> Certificate Chain: [+]* OU=Domain Control Validated, OU=Gandi Standard SSL, CN=gnupg.org [+]** C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA [+]*** C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware >> Certificate Information: ................................................................................ - [Subject]: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=gnupg.org - [Issuer]: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA - [Valid from]: Mar 18 00:00:00 2014 GMT - [Valid until]: Mar 18 23:59:59 2016 GMT - [Authority]: Is not a CA - [Version]: 2 - [Serial No.]: 43845251655098616578492338727643475746 - [X.509 Extension Details]: -- [x509_authorityKeyIdentifier]: keyid:B6:A8:FF:A2:A8:2F:D0:A6:CD:4B:B1:68:F3:E7:50:10:31:A7:79:21 

整个证书链在相同的细节层次上跟随输出。

我喜欢这个,而不是像openssl的s_client这样一个以ssl为中心的cli工具,这个尝试只做大部分时间我们需要的工作。 当然,openssl更加灵活(也就是检查客户端,奇怪端口上的imaps等) – 但我并不总是需要这样做。

或者,如果你有时间挖掘和设置或欣赏更多的function,有更大的工具名为sslyze(不使用它,因为依赖和安装…)

我为此使用了一个shell脚本。 这只是openssl命令的一个包装,使我无法记住语法。

它提供了parsing我通常感兴趣的大多数证书信息的选项,或者显示原始的openssl输出。

可以查询本地证书文件或远程服务器。

用法:

 $ ssl-cert-info --help Usage: ssl-cert-info [options] This shell script is a simple wrapper around the openssl binary. It uses s_client to get certificate information from remote hosts, or x509 for local certificate files. It can parse out some of the openssl output or just dump all of it as text. Options: --all-info Print all output, including boring things like Modulus and Exponent. --alt Print Subject Alternative Names. These will be typically be additional hostnames that the certificate is valid for. --cn Print commonName from Subject. This is typically the host for which the certificate was issued. --debug Print additional info that might be helpful when debugging this script. --end Print certificate expiration date. For additional functionality related to certificate expiration, take a look at this script: "http://prefetch.net/code/ssl-cert-check". --dates Print start and end dates of when the certificate is valid. --file Use a local certificate file for input. --help Print this help message. --host Fetch the certificate from this remote host. --issuer Print the certificate issuer. --most-info Print almost everything. Skip boring things like Modulus and Exponent. --option Pass any openssl option through to openssl to get its raw output. --port Use this port when conneting to remote host. If ommitted, port defaults to 443. --subject Print the certificate Subject -- typically address and org name. Examples: 1. Print a list of all hostnames that the certificate used by amazon.com is valid for. ssl-cert-info --host amazon.com --alt DNS:uedata.amazon.com DNS:amazon.com DNS:amzn.com DNS:www.amzn.com DNS:www.amazon.com 2. Print issuer of certificate used by smtp.gmail.com. Fetch certficate info over port 465. ssl-cert-info --host smtp.gmail.com --port 465 --issuer issuer= countryName = US organizationName = Google Inc commonName = Google Internet Authority G2 3. Print valid dates for the certificate, using a local file as the source of certificate data. Dates are formatted using the date command and display time in your local timezone instead of GMT. ssl-cert-info --file /path/to/file.crt --dates valid from: 2014-02-04 16:00:00 PST valid till: 2017-02-04 15:59:59 PST 4. Print certificate serial number. This script doesn't have a special option to parse out the serial number, so will use the generic --option flag to pass '-serial' through to openssl. ssl-cert-info --host gmail.com --option -serial serial=4BF004B4DDC9C2F8 

你可以在这里获得脚本: http : //giantdorks.org/alain/shell-script-to-check-ssl-certificate-info-like-expiration-date-and-subject/

 nmap -p 443 --script ssl-cert gnupg.org 

-p 443指定仅扫描端口443。 所有端口将被扫描,如果省略,将显示find的任何SSL服务的证书详细信息。 --script ssl-cert 指示Nmap脚本引擎只运行ssl-cert脚本。 从文档中,这个脚本“(r)检索一个服务器的SSL证书,关于证书打印的信息量取决于详细程度。

示例输出:

 Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-01 13:35 PDT Nmap scan report for gnupg.org (217.69.76.60) Host is up (0.16s latency). Other addresses for gnupg.org (not scanned): (null) rDNS record for 217.69.76.60: www.gnupg.org PORT STATE SERVICE 443/tcp open https | ssl-cert: Subject: commonName=gnupg.org | Subject Alternative Name: DNS:gnupg.org, DNS:www.gnupg.org | Issuer: commonName=Gandi Standard SSL CA 2/organizationName=Gandi/stateOrProvinceName=Paris/countryName=FR | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-12-21T00:00:00 | Not valid after: 2018-03-19T23:59:59 | MD5: c3a7 e0ed 388f 87cb ec7f fd3e 71f2 1c3e |_SHA-1: 5196 ecf5 7aed 139f a511 735b bfb5 7534 df63 41ba Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds 

如果您想在Windows中执行此操作,则可以使用以下function的PowerShell:

 function Retrieve-ServerCertFromSocket ($hostname, $port=443, $SNIHeader, [switch]$FailWithoutTrust) { if (!$SNIHeader) { $SNIHeader = $hostname } $cert = $null try { $tcpclient = new-object System.Net.Sockets.tcpclient $tcpclient.Connect($hostname,$port) #Authenticate with SSL if (!$FailWithoutTrust) { $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false, {$true} } else { $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false } $sslstream.AuthenticateAsClient($SNIHeader) $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]($sslstream.remotecertificate) } catch { throw "Failed to retrieve remote certificate from $hostname`:$port because $_" } finally { #cleanup if ($sslStream) {$sslstream.close()} if ($tcpclient) {$tcpclient.close()} } return $cert } 

这可以让你做一些整洁的事情

 #Save to file and open Retrieve-ServerCertFromSocket www.wrish.com 443 | Export-Certificate -FilePath C:\temp\test.cer ; start c:\temp\test.cer #Display the cert details Retrieve-ServerCertFromSocket www.wrish.com 443 | fl subject,*not*,Thumb*,ser* 
 nmap -sV -sC google.com -p 443