Entropic Thoughts

Checking TLS Certificates with OpenSSL from Terminal

Checking TLS Certificates with OpenSSL from Terminal

by
kqr
, published
Tags:

Command line interfaces have one strong benefit over gui​s: anything that can be done in a cli can be trivially automated. The command-line paradigm1 And by extension, the orthodox ui paradigm. What’s that? I’m still planning to write an article on it, but things get in the way. is very powerful that way.

Thus, while tls certificates can usually be checked very easily in our web browser of choice, it is still useful to know how to do it in the terminal. The openssl command is not the most friendly, but here’s the incantation. To print the certificate, we need to attempt to connect with openssl in its client mode. 

echo \
| openssl s_client \
          -connect two-wrongs.com:443 \
          -servername two-wrongs.com

If we additionally want to know expiration dates, we can take the result of the previous command and pipe it to openssl again, this time asking it to decode the certificate information. 

echo \
| openssl s_client \
          -connect two-wrongs.com:443 \
          -servername two-wrongs.com \
| openssl x509 \
          -noout \
          -dates

Since Let’s Encrypt no longer sends certificate expiration warning emails, I’m using this in a Perl script that runs every week and emails me with a brief report with all my domains, and whether their certificates are still okay or about to expire. It looks something like 

OK ssl_cert entropicthoughts.com: 2025-05-26
OK ssl_cert xkqr.org: 2025-05-24
...

(The odd syntax is because I eventually want to expand it to notify me about things like backup activity also.)

Redirects and Non-HTTP Connections

There are more reasons to prefer doing this through the terminal. If we want to check the certificate for a non-canonical domain, for example, our web browser tends to redirect us to the canonical domain before we have a time to look at the certificate. The openssl client does not follow redirects, and will simply get the certificate for the domain we ask for.

Another thing of note is that tls is not unique to http. In principle, any protocol can be used over a tls connection and thus become more secure. The openssl method will check certificates for any sort of tls connection, while the web browser tends to be limited to https.

Inventory of Best Practises

Of course, this is fine if we’re trying to check basic things such as issuer, what type of certificate it is, or expiration dates. To get a better understanding of web encryption best practices, I’d recommend using something like the ssl Labs test.