Skip to content
/ cert Public

Cert is the Go tool to get TLS certificate information.

License

Notifications You must be signed in to change notification settings

genkiroid/cert

Repository files navigation

cert

build

Get server's certificate information.

Installation

For Mac it provide Homebrew integration. Please install like following.

$ brew tap genkiroid/homebrew-cert
$ brew install cert

For other platforms, Precompiled binaries for released versions are available in the releases page.

Or go install.

$ go install github.com/genkiroid/cert/cmd/cert@latest

Usage

Give domain names as arguments.

$ cert github.com google.co.jp
DomainName: github.com
IP:         192.30.255.113
Port:       443
Issuer:     DigiCert SHA2 Extended Validation Server CA
NotBefore:  2016-03-10 09:00:00 +0900 JST
NotAfter:   2018-05-17 21:00:00 +0900 JST
CommonName: github.com
SANs:       [github.com www.github.com]
Error:

DomainName: google.co.jp
IP:         216.58.196.227
Port:       443
Issuer:     Google Internet Authority G3
NotBefore:  2017-10-17 19:59:51 +0900 JST
NotAfter:   2018-01-09 19:00:00 +0900 JST
CommonName: *.google.co.jp
SANs:       [*.google.co.jp google.co.jp]
Error:

You can specify port number. So you can get server certificate information of not only web server but also mail server and others.

$ cert github.com google.co.jp:443 imap.gmail.com:993
DomainName: github.com
IP:         192.30.255.113
Port:       443
Issuer:     DigiCert SHA2 Extended Validation Server CA
NotBefore:  2016-03-10 09:00:00 +0900 JST
NotAfter:   2018-05-17 21:00:00 +0900 JST
CommonName: github.com
SANs:       [github.com www.github.com]
Error:

DomainName: google.co.jp
IP:         172.217.27.163
Port:       443
Issuer:     Google Internet Authority G3
NotBefore:  2017-10-17 19:59:51 +0900 JST
NotAfter:   2018-01-09 19:00:00 +0900 JST
CommonName: *.google.co.jp
SANs:       [*.google.co.jp google.co.jp]
Error:

DomainName: imap.gmail.com
IP:         64.233.188.108
Port:       993
Issuer:     Google Internet Authority G2
NotBefore:  2017-10-17 19:10:29 +0900 JST
NotAfter:   2017-12-29 09:00:00 +0900 JST
CommonName: imap.gmail.com
SANs:       [imap.gmail.com]
Error:

Options

$ cert --help
Usage of cert:
  -c string
        Specify cipher suite. Refer to https://golang.org/pkg/crypto/tls/#pkg-constants for supported cipher suites.
  -cipher string
        Specify cipher suite. Refer to https://golang.org/pkg/crypto/tls/#pkg-constants for supported cipher suites.
  -f string
        Output format. md: as markdown, json: as JSON.  (default "simple table")
  -format string
        Output format. md: as markdown, json: as JSON.  (default "simple table")
  -k    Skip verification of server's certificate chain and host name.
  -s int
        Timeout seconds. (default 3)
  -skip-verify
        Skip verification of server's certificate chain and host name.
  -t string
        Output format as Go template string or Go template file path.
  -template string
        Output format as Go template string or Go template file path.
  -timeout int
        Timeout seconds. (default 3)
  -u    Use UTC to represent NotBefore and NotAfter.
  -utc
        Use UTC to represent NotBefore and NotAfter.
  -v    Show version.
  -version
        Show version.

Output as JSON

Use cert -f json.

$ cert -f json github.com | jq .
[
  {
    "DomainName": "github.com",
    "IP": "192.30.255.112",
    "Port": "443",
    "Issuer": "DigiCert SHA2 Extended Validation Server CA",
    "CommonName": "github.com",
    "SANs": [
      "github.com",
      "www.github.com"
    ],
    "NotBefore": "2016-03-10 09:00:00 +0900 JST",
    "NotAfter": "2018-05-17 21:00:00 +0900 JST",
    "Error": ""
  }
]

Output as Markdown

Use cert -f md.

$ cert -f md github.com
DomainName | IP | Port | Issuer | NotBefore | NotAfter | CN | SANs | Error
--- | --- | --- | --- | --- | --- | --- | --- | ---
github.com | 192.30.255.113 | 443 | DigiCert SHA2 Extended Validation Server CA | 2016-03-10 09:00:00 +0900 JST | 2018-05-17 21:00:00 +0900 JST | github.com | github.com<br/>www.github.com<br/> |
DomainName IP Port Issuer NotBefore NotAfter CN SANs Error
github.com 192.30.255.113 443 DigiCert SHA2 Extended Validation Server CA 2016-03-10 09:00:00 +0900 JST 2018-05-17 21:00:00 +0900 JST github.com github.com
www.github.com

Specify output format by Go template

Use cert -t.

By direct string.

$ cert -t "{{range .}}{{.Issuer}}{{end}}" github.com
DigiCert SHA2 Extended Validation Server CA

By template file.

$ cat /tmp/cert_templ
{{range .}}{{range .CertChain}}Issuer: {{.Issuer.CommonName}}
{{end}}{{end}}
$
$ cert -t /tmp/cert_templ github.com
Issuer: DigiCert SHA2 Extended Validation Server CA
Issuer: DigiCert High Assurance EV Root CA

Specify cipher suite

see #13

You can specify cipher suite. As a result, you can get the information of each certificate.

Note that the issuers are different in the following example.

# Get information of the certificate using RSA signature/public key algorithm.
$ cert -cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 cloudflaressl.com
DomainName: cloudflaressl.com
IP:         104.20.47.142
Port:       443
Issuer:     COMODO RSA Domain Validation Secure Server CA 2
NotBefore:  2019-08-23 09:00:00 +0900 JST
NotAfter:   2020-03-01 08:59:59 +0900 JST
CommonName: ssl509631.cloudflaressl.com
SANs:       [ssl509631.cloudflaressl.com *.cloudflaressl.com cloudflaressl.com]
Error:

# Get information of the certificate using ECDSA signature/public key algorithm.
$ cert -cipher TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 cloudflaressl.com
DomainName: cloudflaressl.com
IP:         104.20.48.142
Port:       443
Issuer:     COMODO ECC Domain Validation Secure Server CA 2
NotBefore:  2019-08-23 09:00:00 +0900 JST
NotAfter:   2020-03-01 08:59:59 +0900 JST
CommonName: ssl509632.cloudflaressl.com
SANs:       [ssl509632.cloudflaressl.com *.cloudflaressl.com cloudflaressl.com]
Error:

If you specify a cipher suite, the maximum TLS version used is limited to TLS1.2. This is because if the server supports TLS1.3, the specified cipher suite is ignored and communication is performed using TLS1.3. This eliminates the meaning of specifying a cipher suite and confuses us. This specification will change when the cipher suite for Tls1.3 becomes configurable in Go.

License

MIT

Author

genkiroid