Debugging TLS certificates with Certigo
OpenSSL only goes so far, learn about Certigo, to which goes a lot further.
Not too long ago, when it came to debugging TLS issues on certificates, my go to solution was to use something like openssl
.
For example to dump out the certificates of a remote host
$ echo | openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
If you want to find the expiration date of this certificate, you can chain more commands together to achieve the desired result:
$ echo | openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 2>/dev/null | openssl x509 -inform pem -noout -text | grep 'Not After' | sed -e 's/^.*:\ //g'
Jul 13 07:58:43 2020 GMT
As you can see, this is starting to get messy, fragile and not really suitable for wider scripting.
Enter Certigo
Certigo is an open source tool that can examine and validate certificates to help with debugging SSL/TLS issues. The source repo is on Github.
You can install using Go
:
On MacOSX you can alternatively use homebrew
:
How to use certigo
Basic usage:
You can also test websites that do not have the DNS cutover correctly yet, using the power of SNI:
More advanced usage, by chaining the JSON output into jq
:
Here is an image to show you the actual colours and formatting in all their glory (the above does not do it justice):
Final thoughts
Thanks to Scott for introducing this tool to the team.
Let me know in the comments what you typically use to do this work, keen to understand other approaches.