Not too long ago, when it came to debugging SSL issues on certificates, my go to solution was to use something like openssl.

For example to dump out the certificates of a remote host

$ echo | openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 2>/dev/null | openssl x509 -inform pem -noout -text

If you want to find the expiration date of this certificate, you can chain more commands together to achieve the desired result:

$ echo | openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 2>/dev/null | openssl x509 -inform pem -noout -text | grep 'Not After' | sed -e 's/^.*:\ //g'
Jul 13 07:58:43 2020 GMT

As you can see, this is starting to get messy, fragile and not really suitable for wider scripting.

Enter Certigo

Certigo is an open source tool that can examine and validate certificates to help with debugging SSL/TLS issues. The source repo is on Github.

You can install using Go:

go get -u github.com/square/certigo
Install Certigo using Go

On MacOSX you can alternatively use homebrew:

brew install certigo
Install Certigo on MacOSX

How to use certigo

Basic usage:

certigo connect www.example.com
Certigo to show the TLS certificates in use on www.example.com

More advanced usage, by chaining the JSON output into jq:

$ certigo connect www.example.com --json | jq -r '.certificates[] | ("Common Name: " + .subject.common_name + ", Expires: " + .not_after)'
Common Name: www.example.com, Expires: 2020-07-13T07:58:43Z
Common Name: Let's Encrypt Authority X3, Expires: 2021-03-17T16:40:46Z
More advanced usage with JSON output and formatting with jq

Here is an image to show you the actual colours and formatting in all their glory (the above does not do it justice):

Example screenshot showing Certigo connecting to www.google.com

Final thoughts

Thanks to Scott for introducing this tool to the team.

Let me know in the comments what you typically use to do this work, keen to understand other approaches.