Viewing Remote SSL Certificate Info

One of our duties at work is monitoring and renewing SSL certificates for customer services. Now that certificate issuers regularly expire certificates after only one year, renewals are a regular occurance. Plus, we like to verify what protocols and alternative hostnames are supported by a specific service. This script helps.

The script requires that you have the openssl and curl utilities available to your shell environment. Versions of openssl newer than 1.1 provide superior output. OpenSSL 1.0 and earlier have limited filtering options, so the script is forced to send you way more information than you need.

The script also requires that the remote service be addressable via https. I’m sure it’s possible to modify it such that it would be useful for checking certificates on databases or mail servers, but so far I have little interest in doing so.

#!/bin/bash
#
# usage: certificate-info remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}

# newer versions of the openssl binary will display subjectAltName
# using the -ext option, but versions prior to 1.1.0 will only give
# alternative names with a full text listing.
VERS=$(openssl version -v |\
       awk '{print $2}' |\
       grep -o '^[0-9]\+\.[0-9]\+\.[0-9]\+')
CURL="curl -s -I"

case "$VERS" in
  3\.*|1\.[123]\.*)
    DISPLAYOPTS="-subject -issuer -dates -ext subjectAltName"
    ;;
  *)
    DISPLAYOPTS="-text"
    ;;
esac

echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout $DISPLAYOPTS

echo
echo "TLS versions for $REMHOST"
echo -n "- Minimum: "
for V in "1.0" "1.1" "1.2" "1.3" "1.4"; do
  $CURL --tlsv$V --tls-max $V https://${REMHOST}/ >/dev/null 2>&1
  if test $? -eq 0; then
    echo $V
    break
  fi
done

echo -n "- Maximum: "
for V in "1.4" "1.3" "1.2" "1.1" "1.0"; do
  $CURL --tlsv$V --tls-max $V https://${REMHOST}/ >/dev/null 2>&1
  if test $? -eq 0; then
    echo $V
    break
  fi
done