Not too long ago, when it came to debugging TLS issues on certificates, my go to solution was to use something like
For example to dump out the certificates of a remote host
$ echo | openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
If you want to find the expiration date of this certificate, you can chain more commands together to achieve the desired result:
$ echo | openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 2>/dev/null | openssl x509 -inform pem -noout -text | grep 'Not After' | sed -e 's/^.*:\ //g'
Jul 13 07:58:43 2020 GMT
As you can see, this is starting to get messy, fragile and not really suitable for wider scripting.
Certigo is an open source tool that can examine and validate certificates to help with debugging SSL/TLS issues. The source repo is on Github.
You can install using
On MacOSX you can alternatively use
How to use certigo
You can also test websites that do not have the DNS cutover correctly yet, using the power of SNI:
More advanced usage, by chaining the JSON output into
Here is an image to show you the actual colours and formatting in all their glory (the above does not do it justice):
Thanks to Scott for introducing this tool to the team.
Let me know in the comments what you typically use to do this work, keen to understand other approaches.