Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- usage()
- {
- cat <<EOF
- Usage: $(basename $0) [options]
- This shell script is a simple wrapper around the openssl binary. It uses
- s_client to get certificate information from remote hosts, or x509 for local
- certificate files. It can parse out some of the openssl output or just dump all
- of it as text.
- Options:
- --all-info Print all output, including boring things like Modulus and
- Exponent.
- --alt Print Subject Alternative Names. These will be typically be
- additional hostnames that the certificate is valid for.
- --cn Print commonName from Subject. This is typically the host for
- which the certificate was issued.
- --debug Print additional info that might be helpful when debugging this
- script.
- --end Print certificate expiration date. For additional functionality
- related to certificate expiration, take a look at this script:
- "http://prefetch.net/code/ssl-cert-check".
- --dates Print start and end dates of when the certificate is valid.
- --end_days Print days untill certifiactes expires.
- --file Use a local certificate file for input.
- --help Print this help message.
- --host Fetch the certificate from this remote host.
- --name Specify a specific domain name (Virtual Host) along with the
- request. This value will be used as the '-servername' in the
- s_client command. This is for TLS SNI (Server Name Indication).
- --issuer Print the certificate issuer.
- --most-info Print almost everything. Skip boring things like Modulus and
- Exponent.
- --option Pass any openssl option through to openssl to get its raw
- output.
- --port Use this port when conneting to remote host. If ommitted, port
- defaults to 443.
- --subject Print the certificate Subject -- typically address and org name.
- --thumbprint Prints certificate thumbprint.
- Examples:
- 1. Print a list of all hostnames that the certificate used by amazon.com
- is valid for.
- $(basename $0) --host amazon.com --alt
- DNS:uedata.amazon.com
- DNS:amazon.com
- DNS:amzn.com
- DNS:www.amzn.com
- DNS:www.amazon.com
- 2. Print issuer of certificate used by smtp.gmail.com. Fetch certficate info
- over port 465.
- $(basename $0) --host smtp.gmail.com --port 465 --issuer
- issuer=
- countryName = US
- organizationName = Google Inc
- commonName = Google Internet Authority G2
- 3. Print valid dates for the certificate, using a local file as the source of
- certificate data. Dates are formatted using the date command and display
- time in your local timezone instead of GMT.
- $(basename $0) --file /path/to/file.crt --dates
- valid from: 2014-02-04 16:00:00 PST
- valid till: 2017-02-04 15:59:59 PST
- 4. Print certificate serial number. This script doesn't have a special option
- to parse out the serial number, so will use the generic --option flag to
- pass '-serial' through to openssl.
- $(basename $0) --host gmail.com --option -serial
- serial=4BF004B4DDC9C2F8
- EOF
- }
- if ! [ -x "$(type -P openssl)" ]; then
- echo "ERROR: script requires openssl"
- echo "For Debian and friends, get it with 'apt-get install openssl'"
- exit 1
- fi
- while [ "$1" ]; do
- case "$1" in
- --file)
- shift
- crt="$1"
- source="local"
- ;;
- --host)
- shift
- host="$1"
- source="remote"
- ;;
- --port)
- shift
- port="$1"
- ;;
- --name)
- shift
- servername="-servername $1"
- ;;
- --all-info)
- opt="-text"
- ;;
- --alt)
- FormatOutput() {
- grep -A1 "Subject Alternative Name:" | tail -n1 |
- tr -d ' ' | tr ',' '\n'
- }
- ;;
- --cn)
- opt="-subject -nameopt multiline"
- FormatOutput() {
- awk '/commonName/ {print$NF}'
- }
- ;;
- --dates)
- opt="-dates"
- FormatOutput() {
- dates=$(cat -)
- start=$(grep Before <<<"$dates" | cut -d= -f2-)
- end=$(grep After <<<"$dates" | cut -d= -f2-)
- echo valid from: $(date -d "$start" '+%F %T %Z')
- echo valid till: $(date -d "$end" '+%F %T %Z')
- }
- ;;
- --end)
- opt="-enddate"
- FormatOutput() {
- read end
- end=$(cut -d= -f2- <<<"$end")
- date -d "$end" '+%F %T %Z'
- }
- ;;
- --end_days)
- opt="-enddate"
- FormatOutput() {
- read end
- end=$(cut -d= -f2- <<<"$end")
- # date -d "$end" '+%s'
- # date +'%s'
- # echo $(( $(date -d "$end" '+%s') - $(date +'%s') ))
- echo $(( ( $(date -d "$end" '+%s') - $(date +'%s') )/(60*60*24) ))
- }
- ;;
- --issuer)
- opt="-issuer -nameopt multiline"
- ;;
- --most-info)
- opt="-text -certopt no_header,no_version,no_serial,no_signame,no_pubkey,no_sigdump,no_aux"
- ;;
- --option)
- shift
- opt="$1"
- ;;
- --subject)
- opt="-subject -nameopt multiline"
- ;;
- --help)
- usage
- exit 0
- ;;
- --test)
- FormatOutput() {
- if grep -q "unable to load certificate"; then echo "false"; else echo "true"; fi
- }
- ;;
- --thumbprint)
- opt="-fingerprint"
- FormatOutput() {
- awk -F"=" '{print$2}' | sed s/://g
- }
- ;;
- --debug)
- DEBUG="yes"
- ;;
- *)
- echo "$(basename $0): invalid option $1" >&2
- echo "see --help for usage"
- exit 1
- ;;
- esac
- shift
- done
- CheckLocalCert()
- {
- openssl x509 -in $crt -noout $opt
- }
- CheckRemoteCert()
- {
- echo |
- openssl s_client $servername -connect $host:$port $options 2>/dev/null |
- openssl x509 -noout $opt 2>&1
- }
- if [ -z "$(type -t FormatOutput)" ]; then
- FormatOutput() { cat; }
- fi
- if [ -z "$opt" ]; then
- opt="-text -certopt no_header,no_version,no_serial,no_signame,no_pubkey,no_sigdump,no_aux"
- fi
- if [ -z "$source" ]; then
- echo "ERROR: missing certificate source."
- echo "Provide one via '--file' or '--host' arguments."
- echo "See '--help' for examples."
- exit 1
- fi
- if [ "$source" == "local" ]; then
- [ -n "$DEBUG" ] && echo "DEBUG: certificate source is local file"
- if [ -z "$crt" ]; then
- echo "ERROR: missing certificate file"
- exit 1
- fi
- [ -n "$DEBUG" ] && echo
- CheckLocalCert | FormatOutput
- fi
- if [ "$source" == "remote" ]; then
- [ -n "$DEBUG" ] && echo "DEBUG: certificate source is remote host"
- if [ -z "$host" ]; then
- echo "ERROR: missing remote host value."
- echo "Provide one via '--host' argument"
- exit 1
- fi
- if [ -z "$port" ]; then
- [ -n "$DEBUG" ] && echo "DEBUG: defaulting to 443 for port."
- port="443"
- fi
- if [ "$port" -eq "465" ] || [ "$port" -eq "25" ] || [ "$port" -eq "587" ]; then
- [ -n "$DEBUG" ] && echo "DEBUG: Presuming that $port is a smtp port, adding starttls."
- options="-starttls smtp"
- fi
- [ -n "$DEBUG" ] && echo
- CheckRemoteCert | FormatOutput
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement