Displaying a remote SSL certificate details using CLI tools

Question

In Chrome, clicking on the green HTTPS lock icon opens a window with the certificate details:

When I tried the same with cURL, I got only some of the information:

$ curl -vvI https://gnupg.org * Rebuilt URL to: https://gnupg.org/ * Hostname was NOT found in DNS cache * Trying 217.69.76.60... * Connected to gnupg.org (217.69.76.60) port 443 (#0) * TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA * Server certificate: gnupg.org * Server certificate: Gandi Standard SSL CA * Server certificate: UTN-USERFirst-Hardware > HEAD / HTTP/1.1 > User-Agent: curl/7.37.1 > Host: gnupg.org > Accept: */* 

Any idea how to get the full certificate information form a command line tool (cURL or other)?

Answer 1

You should be able to use OpenSSL for your purpose:

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text 

That command connects to the desired website and pipes the certificate in PEM format on to another openssl command that reads and parses the details.

(Note that "redundant" -servername parameter is necessary to make openssl do a request with SNI support.)

Answer 2

Basic certificate info

That's my everyday script:

curl --insecure -vvI https://www.example.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }' 

Output:

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=California; L=Los Angeles; O=Verizon Digital Media Services, Inc.; CN=www.example.org * start date: Dec 10 00:00:00 2021 GMT * expire date: Dec 9 23:59:59 2022 GMT * issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x5588e1f5ae30) * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Connection state changed (MAX_CONCURRENT_STREAMS == 100)! * Connection #0 to host www.example.com left intact 

Full certificate info

openssl s_client -connect www.example.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text 

Answer 3

nmap -p 443 --script ssl-cert gnupg.org 

The -p 443 specifies to scan port 443 only. All ports will be scanned if it is omitted, and the certificate details for any SSL service that is found will be displayed. The --script ssl-cert tells the Nmap scripting engine to run only the ssl-cert script. From the doc, this script "(r)etrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level."

Sample output:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-01 13:35 PDT Nmap scan report for gnupg.org (217.69.76.60) Host is up (0.16s latency). Other addresses for gnupg.org (not scanned): (null) rDNS record for 217.69.76.60: www.gnupg.org PORT STATE SERVICE 443/tcp open https | ssl-cert: Subject: commonName=gnupg.org | Subject Alternative Name: DNS:gnupg.org, DNS:www.gnupg.org | Issuer: commonName=Gandi Standard SSL CA 2/organizationName=Gandi/stateOrProvinceName=Paris/countryName=FR | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-12-21T00:00:00 | Not valid after: 2018-03-19T23:59:59 | MD5: c3a7 e0ed 388f 87cb ec7f fd3e 71f2 1c3e |_SHA-1: 5196 ecf5 7aed 139f a511 735b bfb5 7534 df63 41ba Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds 

Answer 4

Depends on what kind of information you want, but:

openssl s_client -showcerts -connect gnupg.org:443 

should give you most, although not as nicely human readable like Chrome presents it.

Answer 5

For completeness: if you have installed on your system Java 7 or higher

 keytool -printcert -sslserver $host[:$port] 

shows the chain (as served) with nearly all details in a mostly rather ugly format.

Whether you should have Java installed on your system I do not answer.

Answer 6

If you want to do this in Windows you can use PowerShell with the following function:

function Retrieve-ServerCertFromSocket ($hostname, $port=443, $SNIHeader, [switch]$FailWithoutTrust) { if (!$SNIHeader) { $SNIHeader = $hostname } $cert = $null try { $tcpclient = new-object System.Net.Sockets.tcpclient $tcpclient.Connect($hostname,$port) #Authenticate with SSL if (!$FailWithoutTrust) { $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false, {$true} } else { $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false } $sslstream.AuthenticateAsClient($SNIHeader) $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]($sslstream.remotecertificate) } catch { throw "Failed to retrieve remote certificate from $hostname`:$port because $_" } finally { #cleanup if ($sslStream) {$sslstream.close()} if ($tcpclient) {$tcpclient.close()} } return $cert } 

This allows you to do some neat things like

#Save to file and open Retrieve-ServerCertFromSocket www.wrish.com 443 | Export-Certificate -FilePath C:\temp\test.cer ; start c:\temp\test.cer #Display the cert details Retrieve-ServerCertFromSocket www.wrish.com 443 | fl subject,*not*,Thumb*,ser* 

Answer 7

If you only want the expiry date (which isn't exactly the answer but is 9/10 what people use the Chrome cert details for), you can use:

echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -enddate

Useful for scripts etc.

c4urself@eos ~ → which ssl_expiry ssl_expiry () { echo | openssl s_client -connect ${1}:443 2> /dev/null | openssl x509 -noout -enddate } c4urself@eos ~ → ssl_expiry google.com notAfter=Jun 12 16:54:00 2018 GMT 

Answer 8

To check for SSL certificate details, I use the following command line tool ever since it's become available:

https://github.com/azet/tls_tools

It's great to double-check you have all info correct for re-issuing certs or validating existing ones, and also as few dependencies AND it requires no setup.

This is what the first few lines of the output look like:

$ ./check_certificate_chain.py gnupg.org 443 >> Certificate Chain: [+]* OU=Domain Control Validated, OU=Gandi Standard SSL, CN=gnupg.org [+]** C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA [+]*** C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware >> Certificate Information: ................................................................................ - [Subject]: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=gnupg.org - [Issuer]: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA - [Valid from]: Mar 18 00:00:00 2014 GMT - [Valid until]: Mar 18 23:59:59 2016 GMT - [Authority]: Is not a CA - [Version]: 2 - [Serial No.]: 43845251655098616578492338727643475746 - [X.509 Extension Details]: -- [x509_authorityKeyIdentifier]: keyid:B6:A8:FF:A2:A8:2F:D0:A6:CD:4B:B1:68:F3:E7:50:10:31:A7:79:21 

That output is followed by the whole certificate chain at the same level of detail.

What I like that instead of being a ssl-centric cli tool like openssl's s_client, this one tries to just do the one job we need most of the time. Of course openssl is more flexible (i.e. also checking clientcerts, imaps on odd ports, etc) - but I don't always need that.

Alternatively, if you have time to dig in & setup or appreciate more features, there's the bigger tool named sslyze (not using it since dependencies and install...)

Answer 9

Showcert

showcert is openssl for humans. (showcert has only 1% of openssl features, but covers 99% of typical needs and much easier to use)

OpenSSL hates you

# two redirections, pipe, two invokation of same binary, extra 5 options (s_client, -connect, x509, -inform, -text) # And you probably want to add one more pipe and grep to extract what you need (expiration date) from two screens of output # I forgot exact command to hack Pentagon, but it was little bit shorter openssl s_client -connect github.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text 

Install

pip3 install showcert 

Usage

View remote HTTPS server cert (you will never forget syntax):

$ showcert github.com IP: 140.82.121.3 Names: github.com www.github.com notBefore: 2022-03-15 00:00:00 (337 days old) notAfter: 2023-03-15 23:59:59 (28 days left) Issuer: C=US O=DigiCert Inc CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 

View remote certificate for other ports/protocols, (with auto STARTTLS support for SMTP/IMAP/POP3):

$ showcert smtp.google.com:25 IP: 66.102.1.26 Names: mx.google.com smtp.google.com aspmx.l.google.com alt1.aspmx.l.google.com alt2.aspmx.l.google.com alt3.aspmx.l.google.com alt4.aspmx.l.google.com gmail-smtp-in.l.google.com alt1.gmail-smtp-in.l.google.com alt2.gmail-smtp-in.l.google.com alt3.gmail-smtp-in.l.google.com alt4.gmail-smtp-in.l.google.com gmr-smtp-in.l.google.com alt1.gmr-smtp-in.l.google.com alt2.gmr-smtp-in.l.google.com alt3.gmr-smtp-in.l.google.com alt4.gmr-smtp-in.l.google.com mx1.smtp.goog mx2.smtp.goog mx3.smtp.goog mx4.smtp.goog aspmx2.googlemail.com aspmx3.googlemail.com aspmx4.googlemail.com aspmx5.googlemail.com gmr-mx.google.com notBefore: 2023-01-31 10:21:33 (15 days old) notAfter: 2023-04-25 10:21:32 (68 days left) Issuer: C=US O=Google Trust Services LLC CN=GTS CA 1C3 

Save gmail SMTP certificate (whole chain) in PEM format:

$ showcert --chain -o pem smtp.google.com:25 > gmail-fullchain.pem $ file gmail-fullchain.pem /tmp/gmail.pem: PEM certificate 

Or you may use -o full to get openssl-style full dump (but I never really needed it).

It has other features (For example, it can warn you if any of installed LetsEncrypt certificates failed to renew and expires in N days), but main design principle: Simple things must be simple, more complex things may require additional CLI options.

Disclaimer: showcert is my hobby project, so I can be biased.

Answer 10

I use a shell script for this. It's just a wrapper around the openssl command that saves me from remembering the syntax.

It provides options for parsing out most of the certificate information I'm typically interested in, or display raw openssl output.

Can either query a local certificate file, or a remote server.

Usage:

$ ssl-cert-info --help Usage: ssl-cert-info [options] This shell script is a simple wrapper around the openssl binary. It uses s_client to get certificate information from remote hosts, or x509 for local certificate files. It can parse out some of the openssl output or just dump all of it as text. Options: --all-info Print all output, including boring things like Modulus and Exponent. --alt Print Subject Alternative Names. These will be typically be additional hostnames that the certificate is valid for. --cn Print commonName from Subject. This is typically the host for which the certificate was issued. --debug Print additional info that might be helpful when debugging this script. --end Print certificate expiration date. For additional functionality related to certificate expiration, take a look at this script: "http://prefetch.net/code/ssl-cert-check". --dates Print start and end dates of when the certificate is valid. --file Use a local certificate file for input. --help Print this help message. --host Fetch the certificate from this remote host. --issuer Print the certificate issuer. --most-info Print almost everything. Skip boring things like Modulus and Exponent. --option Pass any openssl option through to openssl to get its raw output. --port Use this port when conneting to remote host. If ommitted, port defaults to 443. --subject Print the certificate Subject -- typically address and org name. Examples: 1. Print a list of all hostnames that the certificate used by amazon.com is valid for. ssl-cert-info --host amazon.com --alt DNS:uedata.amazon.com DNS:amazon.com DNS:amzn.com DNS:www.amzn.com DNS:www.amazon.com 2. Print issuer of certificate used by smtp.gmail.com. Fetch certficate info over port 465. ssl-cert-info --host smtp.gmail.com --port 465 --issuer issuer= countryName = US organizationName = Google Inc commonName = Google Internet Authority G2 3. Print valid dates for the certificate, using a local file as the source of certificate data. Dates are formatted using the date command and display time in your local timezone instead of GMT. ssl-cert-info --file /path/to/file.crt --dates valid from: 2014-02-04 16:00:00 PST valid till: 2017-02-04 15:59:59 PST 4. Print certificate serial number. This script doesn't have a special option to parse out the serial number, so will use the generic --option flag to pass '-serial' through to openssl. ssl-cert-info --host gmail.com --option -serial serial=4BF004B4DDC9C2F8 

You can get the script here: https://web.archive.org/web/20190528035412/http://giantdorks.org/alain/shell-script-to-check-ssl-certificate-info-like-expiration-date-and-subject/

Answer 11

For anyone using curl 7.88.0 or greater, there is a new option as explained in https://daniel.haxx.se/blog/2022/12/28/curl-w-certs/

curl -w %{certs} https://www.example.com/ --silent -o /dev/null 

which returns something like:

Subject:C=US, ST=California, L=Los Angeles, O=Internet┬ιCorporation┬ιfor┬ιAssigned┬ιNames┬ιand┬ιNumbers, CN=www.example.org Issuer:C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1 Version:2 Serial Number:07:5b:ce:f3:06:89:c8:ad:df:13:e5:1a:f4:af:e1:87: Signature Algorithm:sha256WithRSAEncryption Start Date:2024-01-30 00:00:00 GMT Expire Date:2025-03-01 23:59:59 GMT ... Signature:04:e1:6e:02:... -----BEGIN CERTIFICATE----- MIIHbjCCBlagAw... ... -----END CERTIFICATE----- ... 

So if you are only interested in start and expire date:

curl -w %{certs} https://www.example.com/ --silent -o /dev/null | grep -Ei "^(start|expire) date:" | head -n 2 

which returns:

Start Date:2024-01-30 00:00:00 GMT Expire Date:2025-03-01 23:59:59 GMT 

Answer 12

nmap -sV -sC google.com -p 443 

Answer 13

You can also try the gnutls-cli tool from https://www.gnutls.org/:

echo | gnutls-cli serverfault.com 

The echo | is there to make gnutls-cli exit quickly, instead of waiting for input from stdin.

If you need the raw certificate data (in PEM format), add --print-cert.

Answer 14

I came across this question and noticed I had answered something similar here: https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server/68277430#68277430

I also had the same challenge and next to that I discovered that openssl doesn't return the root ca. I have built an alternative for specifically for this purpose which might be useful for other developers, see here: GitHub - Certificate ripper

Command

crip print -u=https://gnupg.org 

Output

Certificates for url = https://gnupg.org [ [ Version: V3 Subject: CN=gnupg.org Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits params: null modulus: 31584528901574007750301020287561448010695338445786656836820202222425310660293397103661612041262534815824710633384445406661552999674139683313292182907220124973641103147823211675629863952189464092250334775320079482164648964670152919444386631405421166704969790376810530092741753755204051610269112728244627288812180893123949732920362020211922819834221347165888182335229776214076417362141617456849548559339712503046241890787857054712025639768795686815610181667002438461217925898165006378013013126800098621764184263923324590864316888475244387674964001095520567493168508649309644487636171722874605322088933794460410194036701 public exponent: 65537 Validity: [From: Sat Mar 05 01:55:18 CET 2022, To: Fri Jun 03 02:55:17 CEST 2022] Issuer: CN=R3, O=Let's Encrypt, C=US SerialNumber: [ 04b186e2 062aebcc b4c9ae1b 10c1777c c520] Certificate Extensions: 9 [1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 81 F5 04 81 F2 00 F0 00 76 00 DF A5 5E AB 68 .........v...^.h 0010: 82 4F 1F 6C AD EE B8 5F 4E 3E 5A EA CD A2 12 A4 .O.l..._N>Z..... 0020: 6A 5E 8E 3B 12 C0 20 44 5C 2A 73 00 00 01 7F 57 j^.;.. D\*s....W 0030: C9 D0 37 00 00 04 03 00 47 30 45 02 21 00 92 05 ..7.....G0E.!... 0040: 73 F3 19 12 C5 C3 0B 97 95 B3 C4 3B 65 46 C5 6C s..........;eF.l 0050: 60 C4 61 52 77 0D 8C D7 CD 96 DE 82 87 B9 02 20 `.aRw.......... 0060: 64 48 71 14 C4 11 95 3C 68 13 91 46 4F 72 77 01 dHq....<h..FOrw. 0070: FB 7F C8 8B 59 96 BD 2C 4B EA 51 61 8C 29 34 6A ....Y..,K.Qa.)4j 0080: 00 76 00 29 79 BE F0 9E 39 39 21 F0 56 73 9F 63 .v.)y...99!.Vs.c 0090: A5 77 E5 BE 57 7D 9C 60 0A F8 F9 4D 5D 26 5C 25 .w..W..`...M]&\% 00A0: 5D C7 84 00 00 01 7F 57 C9 D0 27 00 00 04 03 00 ]......W..'..... 00B0: 47 30 45 02 21 00 BD 4F C9 94 6A 0C 57 0F DF D8 G0E.!..O..j.W... 00C0: 10 8A 0C 09 35 31 30 AF CE B6 8E B8 00 BC 4F 46 ....510.......OF 00D0: 56 91 C1 83 AF 20 02 20 3C 61 37 B3 09 AF EF 40 V.... . <a7....@ 00E0: 22 F7 43 1F 46 07 EE AA FC 3D A4 0E 3A 60 A5 E1 ".C.F....=..:`.. 00F0: 95 E3 0B B3 30 0D 7E 78 ....0..x [2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://r3.o.lencr.org , accessMethod: caIssuers accessLocation: URIName: http://r3.i.lencr.org/ ] ] [3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D .....XV..P.@.... 0010: 8B 14 C2 C6 .... ] ] [4]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] [5]: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1] [] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let 0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org ]] ] ] [6]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] [7]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] [8]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: gnupg.org DNSName: www.gnupg.org ] [9]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 02 99 E2 B9 65 0A 77 F2 E5 9A 73 CE 9C 55 AF 7F ....e.w...s..U.. 0010: 5B AE BE 65 [..e ] ] ] Algorithm: [SHA256withRSA] Signature: 0000: 31 75 50 29 45 66 2B FA 52 F4 85 C3 E7 62 5F 09 1uP)Ef+.R....b_. 0010: 8C A9 18 3C 8E 4F 5A 4A B2 B8 65 05 E0 2D 62 51 ...<.OZJ..e..-bQ 0020: 15 91 A2 78 A3 2A B6 B8 1F FD C8 D7 75 D2 98 E1 ...x.*......u... 0030: 2E 87 43 24 0C 38 60 E8 73 76 6C E4 7F 6C 3A DF ..C$.8`.svl..l:. 0040: 56 5D AB DB B8 7F F7 F3 6C 43 AA CA A3 97 BF 32 V]......lC.....2 0050: D1 8C 20 D1 85 EB 43 DA 82 A9 08 DA 6C 2C CB CC .. ...C.....l,.. 0060: 75 8C D6 E8 A1 EA DF 82 E9 0C 33 B7 C9 0E 59 14 u.........3...Y. 0070: 9F 6D 4E 7E 6F BF 6B A9 F6 4C 82 19 48 9A 6F 8B .mN.o.k..L..H.o. 0080: BE E7 F7 80 6F F6 15 AD 56 11 1C F1 7E C1 F4 CF ....o...V....... 0090: C4 B7 5F C7 9F C0 0E 5A 47 46 AB FE 39 F3 7C 37 .._....ZGF..9..7 00A0: 2D 90 DE B5 5F F9 DE 51 E4 29 6F CA 6E C6 7A 21 -..._..Q.)o.n.z! 00B0: 00 3F 66 D0 24 06 77 73 5C 47 AD 4F D9 87 C7 FF .?f.$.ws\G.O.... 00C0: 93 0C 1B 27 A8 6D 53 DF AC EF A3 54 C7 84 46 8F ...'.mS....T..F. 00D0: EF BD 80 71 FD A4 6F 6B 06 37 9C 0A 96 14 16 04 ...q..ok.7...... 00E0: F2 66 B5 80 D0 53 2C 73 3B 36 EE DC DE 59 37 52 .f...S,s;6...Y7R 00F0: 37 DA E6 A9 BA 83 A3 1D EF B7 DC 1E 00 91 15 B3 7............... ] ========== NEXT CERTIFICATE FOR https://gnupg.org ========== [ [ Version: V3 Subject: CN=R3, O=Let's Encrypt, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits params: null modulus: 23607590023527405233483514815960094733025362836439268915823566209453533788829410729612693188664033965601284889382200672291623712219351579442466292134025779170871903029675641332227720513370499414392174777629378433333281492782006644003508406669842374574620445942041275265465205367002253387972103578862358103547035353751037986892891938939537013712276962031758303128178118156019997818459064793797705051611931042977322694991611263911077235433119719504206173897534215486225391156231168313218127765624386188467360149426877213161912342004781300247624712380387337803861727744706241919394251136381590874774264144198228326996757 public exponent: 65537 Validity: [From: Fri Sep 04 02:00:00 CEST 2020, To: Mon Sep 15 18:00:00 CEST 2025] Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US SerialNumber: [ 912b084a cf0c18a7 53f6d62e 25a75f5a] Certificate Extensions: 8 [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://x1.i.lencr.org/ ] ] [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58 y.Y......s.....X 0010: F6 E9 9B 6E ...n ] ] [3]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:0 ] [4]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://x1.c.lencr.org/] ]] [5]: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1] [] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [] ] ] [6]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth serverAuth ] [7]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] [8]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D .....XV..P.@.... 0010: 8B 14 C2 C6 .... ] ] ] Algorithm: [SHA256withRSA] Signature: 0000: 85 CA 4E 47 3E A3 F7 85 44 85 BC D5 67 78 B2 98 ..NG>...D...gx.. 0010: 63 AD 75 4D 1E 96 3D 33 65 72 54 2D 81 A0 EA C3 c.uM..=3erT-.... 0020: ED F8 20 BF 5F CC B7 70 00 B7 6E 3B F6 5E 94 DE .. ._..p..n;.^.. 0030: E4 20 9F A6 EF 8B B2 03 E7 A2 B5 16 3C 91 CE B4 . ..........<... 0040: ED 39 02 E7 7C 25 8A 47 E6 65 6E 3F 46 F4 D9 F0 .9...%.G.en?F... 0050: CE 94 2B EE 54 CE 12 BC 8C 27 4B B8 C1 98 2F A2 ..+.T....'K.../. 0060: AF CD 71 91 4A 08 B7 C8 B8 23 7B 04 2D 08 F9 08 ..q.J....#..-... 0070: 57 3E 83 D9 04 33 0A 47 21 78 09 82 27 C3 2A C8 W>...3.G!x..'.*. 0080: 9B B9 CE 5C F2 64 C8 C0 BE 79 C0 4F 8E 6D 44 0C ...\.d...y.O.mD. 0090: 5E 92 BB 2E F7 8B 10 E1 E8 1D 44 29 DB 59 20 ED ^.........D).Y . 00A0: 63 B9 21 F8 12 26 94 93 57 A0 1D 65 04 C1 0A 22 c.!..&..W..e..." 00B0: AE 10 0D 43 97 A1 18 1F 7E E0 E0 86 37 B5 5A B1 ...C........7.Z. 00C0: BD 30 BF 87 6E 2B 2A FF 21 4E 1B 05 C3 F5 18 97 .0..n+*.!N...... 00D0: F0 5E AC C3 A5 B8 6A F0 2E BC 3B 33 B9 EE 4B DE .^....j...;3..K. 00E0: CC FC E4 AF 84 0B 86 3F C0 55 43 36 F6 68 E1 36 .......?.UC6.h.6 00F0: 17 6A 8E 99 D1 FF A5 40 A7 34 B7 C0 D0 63 39 35 [email protected] 0100: 39 75 6E F2 BA 76 C8 93 02 E9 A9 4B 6C 17 CE 0C 9un..v.....Kl... 0110: 02 D9 BD 81 FB 9F B7 68 D4 06 65 B3 82 3D 77 53 .......h..e..=wS 0120: F8 8E 79 03 AD 0A 31 07 75 2A 43 D8 55 97 72 C4 ..y...1.u*C.U.r. 0130: 29 0E F7 C4 5D 4E C8 AE 46 84 30 D7 F2 85 5F 18 )...]N..F.0..._. 0140: A1 79 BB E7 5E 70 8B 07 E1 86 93 C3 B9 8F DC 61 .y..^p.........a 0150: 71 25 2A AF DF ED 25 50 52 68 8B 92 DC E5 D6 B5 q%*...%PRh...... 0160: E3 DA 7D D0 87 6C 84 21 31 AE 82 F5 FB B9 AB C8 .....l.!1....... 0170: 89 17 3D E1 4C E5 38 0E F6 BD 2B BD 96 81 14 EB ..=.L.8...+..... 0180: D5 DB 3D 20 A7 7E 59 D3 E2 F8 58 F9 5B B8 48 CD ..= ..Y...X.[.H. 0190: FE 5C 4F 16 29 FE 1E 55 23 AF C8 11 B0 8D EA 7C .\O.)..U#....... 01A0: 93 90 17 2F FD AC A2 09 47 46 3F F0 E9 B0 B7 FF .../....GF?..... 01B0: 28 4D 68 32 D6 67 5E 1E 69 A3 93 B8 F5 9D 8B 2F (Mh2.g^.i....../ 01C0: 0B D2 52 43 A6 6F 32 57 65 4D 32 81 DF 38 53 85 ..RC.o2WeM2..8S. 01D0: 5D 7E 5D 66 29 EA B8 DD E4 95 B5 CD B5 56 12 42 ].]f)........V.B 01E0: CD C4 4E C6 25 38 44 50 6D EC CE 00 55 18 FE E9 ..N.%8DPm...U... 01F0: 49 64 D4 4E CA 97 9C B4 5B C0 73 A8 AB B8 47 C2 Id.N....[.s...G. ] ========== NEXT CERTIFICATE FOR https://gnupg.org ========== [ [ Version: V3 Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 4096 bits params: null modulus: 709477870415445373015359016562426660610553770685944520893298396600226760899977879191004898543350831842119174188613678136510262472550532722234131754439181090009824131001234702144200501816519311599904090606194984753842587622398776018408050245574116028550608708896478977104703101364577377554823893350339376892984086676842821506637376561471221178677513035811884589888230947855482554780924844280661412982827405878164907670403886160896655313460186264922042760067692235383478494519985672059698752915965998412445946254227413232257276525240006651483130792248112417425846451951438781260632137645358927568158361961710185115502577127010922344394993078948994750404287047493247048147066090211292167313905862438457453781042040498702821432013765502024105065778257759178356925494156447570322373310256999609083201778278588599854706241788119448943034477370959349516873162063461521707809689839710972753590949570167489887658749686740890549110678989462474318310617765270337415238713770800711236563610171101328052424145478220993016515262478543813796899677215192789612682845145008993144513547444131126029557147570005369943143213525671105288817016183804256755470528641042403865830064493168693765438364296560479053823886598989258655438933191724193029337334607 public exponent: 65537 Validity: [From: Wed Jan 20 20:14:03 CET 2021, To: Mon Sep 30 20:14:03 CEST 2024] Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co. SerialNumber: [ 40017721 37d4e942 b8ee76aa 3c640ab7] Certificate Extensions: 7 [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c ] ] [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15 .....,q...K.u... 0010: 60 85 89 10 `... ] ] [3]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] [4]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl] ]] [5]: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1] [] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 22 68 74 74 70 3A 2F 2F 63 70 73 2E 72 6F 6F ."http://cps.roo 0010: 74 2D 78 31 2E 6C 65 74 73 65 6E 63 72 79 70 74 t-x1.letsencrypt 0020: 2E 6F 72 67 .org ]] ] ] [6]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] [7]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58 y.Y......s.....X 0010: F6 E9 9B 6E ...n ] ] ] Algorithm: [SHA256withRSA] Signature: 0000: 0A 73 00 6C 96 6E FF 0E 52 D0 AE DD 8C E7 5A 06 .s.l.n..R.....Z. 0010: AD 2F A8 E3 8F BF C9 0A 03 15 50 C2 E5 6C 42 BB ./........P..lB. 0020: 6F 9B F4 B4 4F C2 44 88 08 75 CC EB 07 9B 14 62 o...O.D..u.....b 0030: 6E 78 DE EC 27 BA 39 5C F5 A2 A1 6E 56 94 70 10 nx..'.9\...nV.p. 0040: 53 B1 BB E4 AF D0 A2 C3 2B 01 D4 96 F4 C5 20 35 S.......+..... 5 0050: 33 F9 D8 61 36 E0 71 8D B4 B8 B5 AA 82 45 95 C0 3..a6.q......E.. 0060: F2 A9 23 28 E7 D6 A1 CB 67 08 DA A0 43 2C AA 1B ..#(....g...C,.. 0070: 93 1F C9 DE F5 AB 69 5D 13 F5 5B 86 58 22 CA 4D ......i]..[.X".M 0080: 55 E4 70 67 6D C2 57 C5 46 39 41 CF 8A 58 83 58 U.pgm.W.F9A..X.X 0090: 6D 99 FE 57 E8 36 0E F0 0E 23 AA FD 88 97 D0 E3 m..W.6...#...... 00A0: 5C 0E 94 49 B5 B5 17 35 D2 2E BF 4E 85 EF 18 E0 \..I...5...N.... 00B0: 85 92 EB 06 3B 6C 29 23 09 60 DC 45 02 4C 12 18 ....;l)#.`.E.L.. 00C0: 3B E9 FB 0E DE DC 44 F8 58 98 AE EA BD 45 45 A1 ;.....D.X....EE. 00D0: 88 5D 66 CA FE 10 E9 6F 82 C8 11 42 0D FB E9 EC .]f....o...B.... 00E0: E3 86 00 DE 9D 10 E3 38 FA A4 7D B1 D8 E8 49 82 .......8......I. 00F0: 84 06 9B 2B E8 6B 4F 01 0C 38 77 2E F9 DD E7 39 ...+.kO..8w....9 ] ========== NEXT CERTIFICATE FOR https://gnupg.org ========== [ [ Version: V3 Subject: CN=DST Root CA X3, O=Digital Signature Trust Co. Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits params: null modulus: 28237887677026032203151777657129561581522073060401233851894187952595640780665579499663841407267510759260214748789212535957135845654219821366017427323985352100172211628961551647178765278465245040619994286316630852210928184346090961906367138096715766033171261107313432772299467819936678634109708967378829013418649505942485529500580167736159568208924601034682852941882633722952597854385181938557682865139545636282689862459897027632511916072421459210380987954549724536623494064393973052186448977570989493998685404014473715688796607543139914669307234440905936555495044671225489918726010863829142065064843131427399159251549 public exponent: 65537 Validity: [From: Sat Sep 30 23:12:19 CEST 2000, To: Thu Sep 30 16:01:15 CEST 2021] Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co. SerialNumber: [ 44afb080 d6a327ba 89303986 2ef8406b] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] [2]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] [3]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15 .....,q...K.u... 0010: 60 85 89 10 `... ] ] ] Algorithm: [SHA1withRSA] Signature: 0000: A3 1A 2C 9B 17 00 5C A9 1E EE 28 66 37 3A BF 83 ..,...\...(f7:.. 0010: C7 3F 4B C3 09 A0 95 20 5D E3 D9 59 44 D2 3E 0D .?K.... ]..YD.>. 0020: 3E BD 8A 4B A0 74 1F CE 10 82 9C 74 1A 1D 7E 98 >..K.t.....t.... 0030: 1A DD CB 13 4B B3 20 44 E4 91 E9 CC FC 7D A5 DB ....K. D........ 0040: 6A E5 FE E6 FD E0 4E DD B7 00 3A B5 70 49 AF F2 j.....N...:.pI.. 0050: E5 EB 02 F1 D1 02 8B 19 CB 94 3A 5E 48 C4 18 1E ..........:^H... 0060: 58 19 5F 1E 02 5A F0 0C F1 B1 AD A9 DC 59 86 8B X._..Z.......Y.. 0070: 6E E9 91 F5 86 CA FA B9 66 33 AA 59 5B CE E2 A7 n.......f3.Y[... 0080: 16 73 47 CB 2B CC 99 B0 37 48 CF E3 56 4B F5 CF .sG.+...7H..VK.. 0090: 0F 0C 72 32 87 C6 F0 44 BB 53 72 6D 43 F5 26 48 ..r2...D.SrmC.&H 00A0: 9A 52 67 B7 58 AB FE 67 76 71 78 DB 0D A2 56 14 .Rg.X..gvqx...V. 00B0: 13 39 24 31 85 A2 A8 02 5A 30 47 E1 DD 50 07 BC .9$1....Z0G..P.. 00C0: 02 09 90 00 EB 64 63 60 9B 16 BC 88 C9 12 E6 D2 .....dc`........ 00D0: 7D 91 8B F9 3D 32 8D 65 B4 E9 7C B1 57 76 EA C5 ....=2.e....Wv.. 00E0: B6 28 39 BF 15 65 1C C8 F6 77 96 6A 0A 8D 77 0B .(9..e...w.j..w. 00F0: D8 91 0B 04 8E 07 DB 29 B6 0A EE 9D 82 35 35 10 .......).....55. ] 

Answer 15

I'm using some weird script to do this:

date --date="$(curl --insecure -vvI https://v1.d13.ovh 2>&1 | grep "expire date" | awk '{print $4,$5,$6,$7,$8,$9}')" +%s 

Answer 16

In addition to @jpbochi answer:

$ gnutls-cli --print-cert serverfault.com < /dev/null | openssl x509 -inform pem -noout -text -dates 

Output

Certificate: Data: Version: 3 (0x2) Serial Number: 03:67:98:53:7f:1f:64:c2:2c:8f:57:d8:17:96:01:e8:6d:30 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: May 8 13:13:04 2022 GMT Not After : Aug 6 13:13:03 2022 GMT Subject: CN = *.stackexchange.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ad:46:73:ad:d6:1d:be:56:a0:aa:bf:1d:a6:e0: 62:ed:45:b4:d1:81:d2:aa:53:1d:de:db:48:6c:bc: 7b:37:53:3d:d2:9a:ae:50:a8:78:ae:c2:c1:c0:70: c1:c7:de:55:91:6d:d0:22:07:71:73:61:d9:a7:9c: f9:c6:6b:40:42:ce:b6:69:05:18:32:b1:34:61:40: 69:3b:88:5b:aa:33:da:8f:0f:ad:eb:c2:9f:02:92: cf:76:2e:39:8f:b9:66:a6:12:9f:34:a4:e9:13:fc: 3f:e0:53:89:e1:43:32:24:62:54:af:6e:44:57:4b: a5:6d:74:a5:ef:98:e0:42:66:13:f8:64:2b:2c:3c: 0c:54:d5:18:d8:51:60:73:db:59:9d:c5:05:b0:8f: 53:74:ec:55:e0:2f:21:0f:79:49:73:a0:d9:f0:ae: d3:17:e2:3d:50:fb:cf:d9:81:5c:23:6a:fa:ae:8f: 92:f4:42:af:95:b3:28:80:d9:db:f5:68:16:f5:eb: 2d:84:91:2a:ad:d7:9d:c4:f6:91:83:08:8e:bc:cd: 27:8c:d5:2d:ea:71:34:2d:9e:d9:fd:59:46:33:f6: b0:c4:e5:fa:a6:0b:09:6d:cb:7c:aa:de:01:b0:52: 3b:af:87:fa:b6:16:52:4a:45:54:1e:ce:4d:68:e4: d0:89 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 8F:95:08:25:6C:87:32:5C:2C:BC:C7:2D:30:1E:69:F5:26:36:BF:D7 X509v3 Authority Key Identifier: 14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.askubuntu.com, DNS:*.blogoverflow.com, DNS:*.mathoverflow.net, DNS:*.meta.stackexchange.com, DNS:*.meta.stackoverflow.com, DNS:*.serverfault.com, DNS:*.sstatic.net, DNS:*.stackexchange.com, DNS:*.stackoverflow.com, DNS:*.stackoverflow.email, DNS:*.superuser.com, DNS:askubuntu.com, DNS:blogoverflow.com, DNS:mathoverflow.net, DNS:openid.stackauth.com, DNS:serverfault.com, DNS:sstatic.net, DNS:stackapps.com, DNS:stackauth.com, DNS:stackexchange.com, DNS:stackoverflow.blog, DNS:stackoverflow.com, DNS:stackoverflow.email, DNS:stacksnippets.net, DNS:superuser.com X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A: EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73 Timestamp : May 8 14:13:04.851 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:39:CE:40:26:A2:CE:3E:80:70:EC:13:8E: 70:BF:21:33:1F:9A:17:67:6B:46:6B:DC:BC:55:57:E7: 4B:CC:5E:2C:02:20:2F:B5:07:A1:63:56:34:FB:FE:20: AC:05:62:1B:1F:FA:FD:2F:EC:2C:E9:F6:96:87:A5:B7: 85:E4:FC:C2:0B:2D Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : May 8 14:13:04.897 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:F8:AA:7D:72:B4:E2:FB:C1:E2:31:98: 83:33:AD:17:32:C8:CD:C7:E4:3B:2A:3D:61:73:AC:BC: 69:26:B4:7C:95:02:20:55:DA:0A:4C:27:E3:9B:39:96: 88:07:BF:7D:5A:B7:DC:83:E7:7D:14:AE:E8:76:28:48: A7:D5:89:47:19:B4:47 Signature Algorithm: sha256WithRSAEncryption Signature Value: a0:f9:b8:ff:b3:1e:c6:ba:e5:bd:ab:62:d5:b9:76:09:97:41: ef:69:b2:48:1a:87:f6:98:7b:03:0e:03:15:0d:50:15:9c:6c: 0d:b8:4c:34:5d:fc:a6:98:b4:40:71:48:60:d1:67:21:af:e5: da:9c:e6:35:83:c4:53:4b:8b:1a:f1:ee:54:ef:85:48:f5:c3: a5:9d:9e:69:ec:45:40:23:3b:e2:d8:2c:0d:70:58:91:a7:82: 5f:e7:5e:4b:6a:f6:ab:dc:ea:b1:12:9d:83:b2:95:79:99:ef: 4e:f4:41:9f:8e:21:49:c3:61:e0:9d:f1:e9:6a:96:b2:33:7e: 04:66:d2:29:fe:c1:a0:b8:3d:95:c2:68:28:f1:87:e3:99:cd: 18:34:89:9e:9e:99:ca:03:69:1c:7e:4d:41:90:96:2c:3e:b2: 36:d7:0c:48:b5:5f:c7:5b:93:d3:ff:35:a3:51:ff:10:af:ac: cf:7d:cd:6d:ab:5b:d6:8a:21:a5:bd:b0:24:9c:2f:bd:65:fd: 05:d6:cf:6f:a1:67:77:06:a6:54:b6:9e:0c:5e:cc:2a:28:f8: af:f0:9e:02:f8:28:f6:74:47:3f:d2:db:6a:6c:23:cf:53:61: de:eb:91:8b:42:28:e4:d6:f3:75:56:d3:41:fd:68:ed:fd:a3: 7f:14:7e:db notBefore=May 8 13:13:04 2022 GMT notAfter=Aug 6 13:13:03 2022 GMT