主页 / server / 问题 / 661978
Accepted
Adam Matan
Asked: 2015-01-24 14:13:21 +0800 CST

使用 CLI 工具显示远程 SSL 证书详细信息

  • 772

在 Chrome 中,单击绿色 HTTPS 锁定图标会打开一个包含证书详细信息的窗口:

在此处输入图像描述

当我对 cURL 进行同样的尝试时,我只得到了一些信息:

$ curl -vvI https://gnupg.org
* Rebuilt URL to: https://gnupg.org/
* Hostname was NOT found in DNS cache
*   Trying 217.69.76.60...
* Connected to gnupg.org (217.69.76.60) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: gnupg.org
* Server certificate: Gandi Standard SSL CA
* Server certificate: UTN-USERFirst-Hardware
> HEAD / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: gnupg.org
> Accept: */*

知道如何从命令行工具(cURL 或其他)获取完整的证书信息吗?

ssl

14 个回答

  1. Best Answer

    您应该能够将 OpenSSL 用于您的目的:

    echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

    该命令连接到所需的网站并将 PEM 格式的证书传送到另一个读取和解析详细信息的 openssl 命令。

    (请注意,“冗余”-servername参数对于openssl使用 SNI 支持发出请求是必需的。)

    • 484

  2. 基本证书信息

    这是我的日常脚本:

    curl --insecure -vvI https://www.example.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

    输出:

    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Los Angeles; O=Verizon Digital Media Services, Inc.; CN=www.example.org
*  start date: Dec 10 00:00:00 2021 GMT
*  expire date: Dec  9 23:59:59 2022 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5588e1f5ae30)
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* Connection #0 to host www.example.com left intact

    完整的证书信息

    openssl s_client -connect www.example.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text
    • 143 
  3. nmap -p 443 --script ssl-cert gnupg.org

    -p 443指定仅扫描端口 443 。如果省略,将扫描所有端口,并显示找到的任何 SSL 服务的证书详细信息。--script ssl-cert告诉Nmap 脚本引擎只运行ssl-cert脚本。从文档中,此脚本“(r)获取服务器的 SSL 证书。打印的有关证书的信息量取决于详细程度。”

    样本输出:

    Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-01 13:35 PDT
Nmap scan report for gnupg.org (217.69.76.60)
Host is up (0.16s latency).
Other addresses for gnupg.org (not scanned): (null)
rDNS record for 217.69.76.60: www.gnupg.org
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=gnupg.org
| Subject Alternative Name: DNS:gnupg.org, DNS:www.gnupg.org
| Issuer: commonName=Gandi Standard SSL CA 2/organizationName=Gandi/stateOrProvinceName=Paris/countryName=FR
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2015-12-21T00:00:00
| Not valid after:  2018-03-19T23:59:59
| MD5:   c3a7 e0ed 388f 87cb ec7f fd3e 71f2 1c3e
|_SHA-1: 5196 ecf5 7aed 139f a511 735b bfb5 7534 df63 41ba

Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds
    • 75

  4. 取决于你想要什么样的信息,但是: 

    openssl s_client -showcerts -connect gnupg.org:443

    应该给你最多的东西,虽然不像 Chrome 那样可读性好。

    • 38

  5. 为了完整起见:如果您的系统上安装了Java 7 或更高版本

     keytool -printcert -sslserver $host[:$port]

    以一种非常难看的格式显示几乎所有细节的链(如服务)。

    你是否应该在你的系统上安装 Java 我不回答。

    • 28

  6. 如果您想在 Windows 中执行此操作,您可以使用 PowerShell 和以下功能:

    function Retrieve-ServerCertFromSocket ($hostname, $port=443, $SNIHeader, [switch]$FailWithoutTrust)
{
    if (!$SNIHeader) {
        $SNIHeader = $hostname
    }

    $cert = $null
    try {
        $tcpclient = new-object System.Net.Sockets.tcpclient
        $tcpclient.Connect($hostname,$port)

        #Authenticate with SSL
        if (!$FailWithoutTrust) {
            $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false, {$true}
        } else {
            $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false
        }

        $sslstream.AuthenticateAsClient($SNIHeader)
        $cert =  [System.Security.Cryptography.X509Certificates.X509Certificate2]($sslstream.remotecertificate)

     } catch {
        throw "Failed to retrieve remote certificate from $hostname`:$port because $_"
     } finally {
        #cleanup
        if ($sslStream) {$sslstream.close()}
        if ($tcpclient) {$tcpclient.close()}        
     }    
    return $cert
}

    这使您可以做一些整洁的事情,例如

    #Save to file and open 
Retrieve-ServerCertFromSocket www.wrish.com 443 | Export-Certificate -FilePath C:\temp\test.cer ; start c:\temp\test.cer

#Display the cert details
Retrieve-ServerCertFromSocket www.wrish.com 443 | fl subject,*not*,Thumb*,ser*
    • 9

  7. 如果您只想要到期日期(这不完全是答案,而是人们使用 Chrome 证书详细信息的 9/10),您可以使用:

    echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -enddate

    对脚本等有用。

    c4urself@eos ~ → which ssl_expiry
ssl_expiry () {
  echo | openssl s_client -connect ${1}:443 2> /dev/null | openssl x509 -noout -enddate
}
c4urself@eos ~ → ssl_expiry google.com
notAfter=Jun 12 16:54:00 2018 GMT
    • 9

  8. 为了检查 SSL 证书的详细信息,我使用以下命令行工具,因为它变得可用:

    https://github.com/azet/tls_tools

    很高兴仔细检查您的所有信息是否正确,以便重新颁发证书或验证现有证书,并且依赖项很少并且不需要设置。

    这是输出的前几行的样子:

    $ ./check_certificate_chain.py gnupg.org 443

>> Certificate Chain:

 [+]*       OU=Domain Control Validated, OU=Gandi Standard SSL, CN=gnupg.org
 [+]**      C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
 [+]***     C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware

>> Certificate Information:

................................................................................
- [Subject]:        OU=Domain Control Validated, OU=Gandi Standard SSL, CN=gnupg.org
- [Issuer]:     C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
- [Valid from]:     Mar 18 00:00:00 2014 GMT
- [Valid until]:    Mar 18 23:59:59 2016 GMT
- [Authority]:      Is not a CA
- [Version]:        2
- [Serial No.]:     43845251655098616578492338727643475746
- [X.509 Extension Details]:
  -- [x509_authorityKeyIdentifier]:
       keyid:B6:A8:FF:A2:A8:2F:D0:A6:CD:4B:B1:68:F3:E7:50:10:31:A7:79:21

    该输出之后是相同详细级别的整个证书链。

    我喜欢它而不是像 openssl 的 s_client 那样以 ssl 为中心的 cli 工具,它试图只做我们大部分时间需要的一项工作。当然,openssl 更灵活(即还检查客户端证书、奇数端口上的 imap 等)——但我并不总是需要这些。

    或者,如果您有时间深入了解和设置或欣赏更多功能,还有一个名为 sslyze 的更大工具(由于依赖项和安装,所以不使用它......)

    • 7

  9. 我为此使用了一个 shell 脚本。它只是 openssl 命令的一个包装器,使我免于记住语法。

    它提供了解析我通常感兴趣的大多数证书信息的选项,或者显示原始 openssl 输出。

    可以查询本地证书文件,也可以查询远程服务器。

    用法:

    $ ssl-cert-info --help
Usage: ssl-cert-info [options]

This shell script is a simple wrapper around the openssl binary. It uses
s_client to get certificate information from remote hosts, or x509 for local
certificate files. It can parse out some of the openssl output or just dump all
of it as text.

Options:

  --all-info   Print all output, including boring things like Modulus and 
               Exponent.

  --alt        Print Subject Alternative Names. These will be typically be 
               additional hostnames that the certificate is valid for.

  --cn         Print commonName from Subject. This is typically the host for 
               which the certificate was issued.

  --debug      Print additional info that might be helpful when debugging this
               script.

  --end        Print certificate expiration date. For additional functionality
               related to certificate expiration, take a look at this script:
               "http://prefetch.net/code/ssl-cert-check".

  --dates      Print start and end dates of when the certificate is valid.

  --file       Use a local certificate file for input.

  --help       Print this help message.

  --host       Fetch the certificate from this remote host.

  --issuer     Print the certificate issuer.

  --most-info  Print almost everything. Skip boring things like Modulus and
               Exponent.

  --option     Pass any openssl option through to openssl to get its raw
               output.

  --port       Use this port when conneting to remote host. If ommitted, port
               defaults to 443.

  --subject    Print the certificate Subject -- typically address and org name.

Examples:

  1. Print a list of all hostnames that the certificate used by amazon.com 
     is valid for.

     ssl-cert-info --host amazon.com --alt
     DNS:uedata.amazon.com
     DNS:amazon.com
     DNS:amzn.com
     DNS:www.amzn.com
     DNS:www.amazon.com

  2. Print issuer of certificate used by smtp.gmail.com. Fetch certficate info
     over port 465.

     ssl-cert-info --host smtp.gmail.com --port 465 --issuer
     issuer= 
         countryName               = US
         organizationName          = Google Inc
         commonName                = Google Internet Authority G2

  3. Print valid dates for the certificate, using a local file as the source of 
     certificate data. Dates are formatted using the date command and display
     time in your local timezone instead of GMT.

     ssl-cert-info --file /path/to/file.crt --dates
     valid from: 2014-02-04 16:00:00 PST
     valid till: 2017-02-04 15:59:59 PST


  4. Print certificate serial number. This script doesn't have a special option
     to parse out the serial number, so will use the generic --option flag to
     pass '-serial' through to openssl.

     ssl-cert-info --host gmail.com --option -serial
     serial=4BF004B4DDC9C2F8

    您可以在此处获取脚本:https ://web.archive.org/web/20190528035412/http://giantdorks.org/alain/shell-script-to-check-ssl-certificate-info-like-expiration-date -和-主题/

    • 4 
  10. nmap -sV -sC google.com -p 443
    • 3

相关问题