Fetching SSL certificate details from the command line

There are a number of different ways to obtain information about an SSL certificate from the command line. Two common options are:

OpenSSL client

To use the OpenSSL client to obtain certificate details, run the following command in a terminal session:

openssl s_client -showcerts -connect duckduckgo.com:443

This should output a lengthy description, including the certificate chain, certificate, and more.

Nmap

Nmap (“Network Mapper”) can also be used to obtain SSL certificate information. Enter the following:

nmap -p 443 --script ssl-cert duckduckgo.com

This runs a scan returning the state of this port, and outputs details about the certificate including its issuer, type, and expiration date.

Nmap scan report for duckduckgo.com (52.250.42.157)
Host is up (0.020s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=*.duckduckgo.com/organizationName=Duck Duck Go, Inc./stateOrProvinceName=Pennsylvania/countryName=US
| Subject Alternative Name: DNS:*.duckduckgo.com, DNS:duckduckgo.com
| Issuer: commonName=DigiCert SHA2 Secure Server CA/organizationName=DigiCert Inc/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-08-09T00:00:00
| Not valid after:  2020-10-30T12:00:00
| MD5:   a0be 987e a6bc 8a3a 6672 4109 50a9 19f5
|_SHA-1: 35c8 7b6a e65e 22fb 4d71 cae1 efed 4db4 6346 80d6

These tools do more–especially Nmap–so it is worth experimenting with different commands and options.

Links

Nmap has a lengthy man page (man nmap), and here is online documentation for both tools:

• Nmap
• OpenSSL