Name already in use

Name already in use Техника

SSL Certificate Verification

SSL is TLS

SSL is the old name. It is called TLS these days.

Native SSL

If libcurl was built with Schannel or Secure Transport support (the native SSL
libraries included in Windows and Mac OS X), then this does not apply to
you. Scroll down for details on how the OS-native engines handle SSL
certificates. If you are not sure, then run «curl -V» and read the results. If
the version string says Schannel in it, then it was built with Schannel
support.

It is about trust

This system is about trust. In your local CA certificate store you have certs
from trusted Certificate Authorities that you then can use to verify that
the server certificates you see are valid. They are signed by one of the
certificate authorities you trust.

Which certificate authorities do you trust? You can decide to trust the same
set of companies your operating system trusts, or the set one of the known
browsers trust. That is basically trust via someone else you trust. You should
just be aware that modern operating systems and browsers are setup to trust
hundreds of companies and in recent years several certificate authorities
have been found untrustworthy.

Certificate Verification

libcurl performs peer SSL certificate verification by default. This is done
by using a CA certificate store that the SSL library can use to make sure the
peer’s server certificate is valid.

If you communicate with HTTPS, FTPS or other TLS-using servers using
certificates in the CA store, you can be sure that the remote server really is
the one it claims to be.

Neglecting to use one of the above methods when dealing with a server using a
certificate that is not signed by one of the certificates in the installed CA
certificate store, will cause SSL to report an error («certificate verify
failed») during the handshake and SSL will then refuse further communication
with that server.

Certificate Verification with NSS

If libcurl was built with NSS support, then depending on the OS distribution,
it is probably required to take some additional steps to use the system-wide
CA cert db. Red Hat ships with an additional module, libnsspem.so, which
enables NSS to read the OpenSSL PEM CA bundle. On openSUSE you can install
p11-kit-nss-trust which makes NSS use the system wide CA certificate
store. NSS also has a new database
format
.

Starting with version 7.19.7, libcurl automatically adds the sql: prefix to
the certificate database directory (either the set default /etc/pki/nssdb or
the directory configured with the SSL_DIR environment variable). To check
which certificate database format your distribution provides, examine the
default certificate database location: /etc/pki/nssdb; the new certificate
database format can be identified by the filenames cert9.db, key4.db,
pkcs11.txt; filenames of older versions are cert8.db, key3.db,
secmod.db.

Certificate Verification with Schannel and Secure Transport

If libcurl was built with Schannel (Microsoft’s native TLS engine) or Secure
Transport (Apple’s native TLS engine) support, then libcurl will still perform
peer certificate verification, but instead of using a CA cert bundle, it will
use the certificates that are built into the OS. These are the same
certificates that appear in the Internet Options control panel (under Windows)
or Keychain Access application (under OS X). Any custom security rules for
certificates will be honored.

Schannel will run CRL checks on certificates unless peer verification is
disabled. Secure Transport on iOS will run OCSP checks on certificates unless
peer verification is disabled. Secure Transport on OS X will run either OCSP
or CRL checks on certificates if those features are enabled, and this behavior
can be adjusted in the preferences of Keychain Access.

HTTPS proxy

Since version 7.52.0, curl can do HTTPS to the proxy separately from the
connection to the server. This TLS connection is handled separately from the
server connection so instead of --insecure and --cacert to control the
certificate verification, you use --proxy-insecure and --proxy-cacert.
With these options, you make sure that the TLS connection and the trust of the
proxy can be kept totally separate from the TLS connection to the server.

Using Self-signed Certificates with cURL

cURL is a command-line program to download files over the web.

Generating Certificates

When you generate the Root CA’s certificate (to later sign the server’s certificate):

$ ./create_certificate_authoriy.sh

A file named ca_public_certificate.pem will be created (in ./CA/). This is the file which will be used with «cURL».

Trying without a certificate

When connecting to a web server which uses self-signed certificate, cURL will reject the server’s certificate and refuse to download the file:

$ curl https://myserver.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Adding the Self-Signed Root CA certificate

When explictly adding the self-signed root CA’s certificate, cURL will successfully validate the server’s certificate:

file.txt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13 100 13 0 0 110 0 —:—:— —:—:— —:—:— 116″>
$ curl --cacert ca_public_certificate.pem https://myserver.com  file.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    13  100    13    0     0    110      0 --:--:-- --:--:-- --:--:--   116

Sending Client-Side Certificate

Step 1: Create a new certificate for this client:

$ ./create_certificate foobarclient

The script will create several files (in ./CA/servers/foobarclient), the file we need is foobarclient.combined.pem, which contains both the private key and the public certificate for this client).

Step 2: Use cURL with the client certificate

file.txt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13 100 13 0 0 110 0 —:—:— —:—:— —:—:— 116″>
curl --cert foobarclient.combined.pem \
     --cacert ca_public_certificate.pem https://myserver.com  file.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    13  100    13    0     0    110      0 --:--:-- --:--:-- --:--:--   116
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Security Considerations

  1. This recipe is not secure.
  2. It does not demonstrate good security practices (e.g. no passwords on private keys, no file-permission modifications, etc.).
  3. It should be used only for testing and learning purposes.
  4. The client-side-certificate is only as secure as your clients: if someone gains access to the client, he can steal the client’s certificate.

This document describes how to use curl with both custom and official CA SSL certificates.

Prerequisite

Example for Mac OS:

brew install curl --with-openssl
brew link curl --force
curl --version

CA directory

Create a CA directory which will contain all your CA certificates in the .pem format (ex: /etc/pki/ssl/ca).

Export a custom CA from the firefox browser

Note that this step is only necessary, if you don’t already have your custom CA in pem format.

If you open a SSL protected webpage in the firefox browser:

  • click on the lock on the left of the url
  • Then «more information …»/Security/»View certificate»/Details/»Export …»/»X.509 Certificate (PEM)»

Export the .pem file in your CA directory

Get all the officially supported certificate authorities

In you CA directory:

curl http://curl.haxx.se/ca/cacert.pem -o firefox.pem

Merge all your .pem in one

In you CA directory:

Configuring cacert

From now on, you should be able configure curl to use your merged CA:

curl --cacert /etc/pki/ssl/ca/ca-all.pem https://mycustomapi.com

You may prefer to update .curlrc by adding the line:

cacert /etc/pki/ssl/ca/ca-all.pem

References

With LetsEncrypt’s DST Root CA X3 root certificate expiring , some customers are experiencing issues when Deskpro needs to contact external websites, such as downloading linked attachments from emails, or adding an external download link etc.

This can be fixed easily by manually updating the list of trusted root certificates to include the newer LetsEncrypt ISRG Root X1 root certificate. We recommend using the curl.se CA Bundle, as this is regularly extracted from the Firefox browser, which is maintained by Mozilla, and is formatted in a way which cURL expects.

Linux

(Paths in this guide will assume a default Linux installation on Ubuntu 18.04 LTS, but it will be similar for other distros.)

1. Download the latest CA bundle extract from curl.se 

wget https://curl.se/ca/cacert.pem -O /etc/ssl/certs/cacert.pem

2. Edit your php.ini file.

In these files, you need to either modify or add the curl.cainfo and openssl.cafile parameters with the path to the new CA bundle:

[curl]
 curl.cainfo = /etc/ssl/certs/cacert.pem

(only add the parameter if it does not already exist in your php.ini file. Duplicate parameters can prevent PHP from running correctly)

3. Restart your php-fpm to load the new settings.

systemctl restart php<version>-fpm

Replace the <version> with the version of PHP you’re using, so for PHP 7.4, the command will be systemctl restart php7.4-fpm

Windows

(Paths in this guide will assume the default Windows installation directory)

1. Download the latest CA bundle extract from curl.se, and place it within the Deskpro installation directory (C:\DeskPRO\).

 Name already in use 

Name already in use

2. Edit your php.ini file (C:\Deskpro\PHP\php.ini) in notepad.

Name already in use

Modify both parameters to remove the semicolons (;) from the start of the lines, and the path to the cacert.pem file at the end:

Name already in use

4. Save the file

5. Restart your web handler, by opening your DeskPRO Manager (Start > Configure Deskpro), then clicking the ‘Stop’ button on the end of the web server line.

Name already in use

Wait for the service to stop completely, then click ‘Start’ again to restart.

This should now update the trusted root certificates for cURL, allowing it to connect to external websites using the new LetsEncrypt ISRG Root X1 root certificate.

Custom Root Certificates

If you require a custom Root Certificate to use a service such as Cisco Umbrella, or you need Deskpro to trust a self-signed certificate, you can add these custom root certificates to the cacert.pem file.

The certificate needs to be in Base 64 or PEM format, and can be appended to the bottom of the file by  running cat custom-cert.pem >> cacert.pem in Linux, or copy/pasting the certificate to the file in Notepad for Windows.

With LetsEncrypt’s DST Root CA X3 root certificate expiring , some customers are experiencing issues when Deskpro needs to contact external websites, such as downloading linked attachments from emails, or adding an external download link etc.

This can be fixed easily by manually updating the list of trusted root certificates to include the newer LetsEncrypt ISRG Root X1 root certificate. We recommend using the curl.se CA Bundle, as this is regularly extracted from the Firefox browser, which is maintained by Mozilla, and is formatted in a way which cURL expects.

Linux

(Paths in this guide will assume a default Linux installation on Ubuntu 18.04 LTS, but it will be similar for other distros.)

1. Download the latest CA bundle extract from curl.se 

wget https://curl.se/ca/cacert.pem -O /etc/ssl/certs/cacert.pem

2. Edit your php.ini file.

In these files, you need to either modify or add the curl.cainfo and openssl.cafile parameters with the path to the new CA bundle:

[curl]
 curl.cainfo = /etc/ssl/certs/cacert.pem

(only add the parameter if it does not already exist in your php.ini file. Duplicate parameters can prevent PHP from running correctly)

3. Restart your php-fpm to load the new settings.

systemctl restart php<version>-fpm

Replace the <version> with the version of PHP you’re using, so for PHP 7.4, the command will be systemctl restart php7.4-fpm

Windows

(Paths in this guide will assume the default Windows installation directory)

1. Download the latest CA bundle extract from curl.se, and place it within the Deskpro installation directory (C:\DeskPRO\).

 Name already in use 

Name already in use

Дополнительно:  Root для android tv box

2. Edit your php.ini file (C:\Deskpro\PHP\php.ini) in notepad.

Name already in use

Modify both parameters to remove the semicolons (;) from the start of the lines, and the path to the cacert.pem file at the end:

Name already in use

4. Save the file

5. Restart your web handler, by opening your DeskPRO Manager (Start > Configure Deskpro), then clicking the ‘Stop’ button on the end of the web server line.

Name already in use

Wait for the service to stop completely, then click ‘Start’ again to restart.

This should now update the trusted root certificates for cURL, allowing it to connect to external websites using the new LetsEncrypt ISRG Root X1 root certificate.

Custom Root Certificates

If you require a custom Root Certificate to use a service such as Cisco Umbrella, or you need Deskpro to trust a self-signed certificate, you can add these custom root certificates to the cacert.pem file.

The certificate needs to be in Base 64 or PEM format, and can be appended to the bottom of the file by  running cat custom-cert.pem >> cacert.pem in Linux, or copy/pasting the certificate to the file in Notepad for Windows.

With LetsEncrypt’s DST Root CA X3 root certificate expiring , some customers are experiencing issues when Deskpro needs to contact external websites, such as downloading linked attachments from emails, or adding an external download link etc.

This can be fixed easily by manually updating the list of trusted root certificates to include the newer LetsEncrypt ISRG Root X1 root certificate. We recommend using the curl.se CA Bundle, as this is regularly extracted from the Firefox browser, which is maintained by Mozilla, and is formatted in a way which cURL expects.

Linux

(Paths in this guide will assume a default Linux installation on Ubuntu 18.04 LTS, but it will be similar for other distros.)

1. Download the latest CA bundle extract from curl.se 

wget https://curl.se/ca/cacert.pem -O /etc/ssl/certs/cacert.pem

2. Edit your php.ini file.

In these files, you need to either modify or add the curl.cainfo and openssl.cafile parameters with the path to the new CA bundle:

[curl]
 curl.cainfo = /etc/ssl/certs/cacert.pem

(only add the parameter if it does not already exist in your php.ini file. Duplicate parameters can prevent PHP from running correctly)

3. Restart your php-fpm to load the new settings.

systemctl restart php<version>-fpm

Replace the <version> with the version of PHP you’re using, so for PHP 7.4, the command will be systemctl restart php7.4-fpm

Windows

(Paths in this guide will assume the default Windows installation directory)

1. Download the latest CA bundle extract from curl.se, and place it within the Deskpro installation directory (C:\DeskPRO\).

 Name already in use 

Name already in use

2. Edit your php.ini file (C:\Deskpro\PHP\php.ini) in notepad.

Name already in use

Modify both parameters to remove the semicolons (;) from the start of the lines, and the path to the cacert.pem file at the end:

Name already in use

4. Save the file

5. Restart your web handler, by opening your DeskPRO Manager (Start > Configure Deskpro), then clicking the ‘Stop’ button on the end of the web server line.

Name already in use

Wait for the service to stop completely, then click ‘Start’ again to restart.

This should now update the trusted root certificates for cURL, allowing it to connect to external websites using the new LetsEncrypt ISRG Root X1 root certificate.

Custom Root Certificates

If you require a custom Root Certificate to use a service such as Cisco Umbrella, or you need Deskpro to trust a self-signed certificate, you can add these custom root certificates to the cacert.pem file.

The certificate needs to be in Base 64 or PEM format, and can be appended to the bottom of the file by  running cat custom-cert.pem >> cacert.pem in Linux, or copy/pasting the certificate to the file in Notepad for Windows.

This article will explain how to add (install) a new certificate to the trusted root certificate list on Linux.

Let’s say you are using a self-signed SSL/TLS certificate but don’t want to get SEC_ERROR_UNKNOWN_ISSUER error on the client browser whenever your site is opened.
SEC_ERROR_UNKNOWN_ISSUER error on browser

In this example, we will install a self-signed certificate from an IIS website running on a Windows Server.

$ curl –I https://woshub.local

curl: (60) SSL certificate problem: unable to get local issuer certificate. More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

Validate website certificate using cURL

In this case, we need to add this website’s Root CA to the list of trusted certificates on Linux.

How to Install the Root Certificate in the Trust Store on Linux?

If you want to update your trusted certificate store on Linux, the first thing you need is the certificate’s PEM file with an *.CRT extension. A PEM certificate s a text file in base64 format that starts with the line —-BEGIN CERTIFICATE—– and ends with ——END CERTIFICATE——.

PEM (X. 509 certificate) file with .CRT extension

If you have your certificate’s file stored in DER format, you can convert it into PEM using the openssl command:

$ openssl x509 -in my_trusted_sub_ca.der -inform der -out my_trusted_sub_ca.cer

Now let’s see how you can add your CA root certificate to the trust list in DEB-based Linux distros (Ubuntu, Debian, Mint, Kali Linux, etc.).

Update the certificate store using the command:

$ sudo update-ca-certificates -v

If the command is not found, you need to install the package on your Ubuntu/Debian host:

$ sudo apt-get install -y ca-certificates

update-ca-certificates - updates the directory /etc/ssl/certs to hold SSL certificates and generates ca-certificates.crt

If the certificates have been successfully added, you will see a message saying that the certificate has been copied to /etc/ssl/certs/:

Updating certificates in /etc/ssl/certs…
2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d

Here’s another way to add new certificates to the trusted store on Linux:

$ sudo dpkg-reconfigure ca-certificates

Check out the list of certificates and select the ones you want to add to the trusted ones.

dpkg-reconfigure ca-certificates

On Linux, the list of trusted certificates is stored in the file /etc/ssl/certs/ca-certificates.crt. Both of the above commands will update this file and add information about the new certificates.

Specify the Common Name part of your certificate instead of YourCASubj to search the store by subject.

list trusted certificates linux

You can see if your OS trusts the certificate by using the command:

$ openssl verify my_trusted_sub_ca.crt

openssl verify certificate chain

If your Linux host does not trust the certificate, you will get an error:

error 20 at 0 depth lookup: unable to get local issuer certificate
error my_trusted_sub_ca.crt: verification failed

You can use curl to ensure that the site uses a trusted SSL certificate:

$ curl –I https://woshub.local

check for trusted ssl connection with curl on linux

Note that a certificate file can also be added to the trust list manually:

exta/mycert1.crt

$ sudo update-ca-certificates

To remove the certificate from the trusted list, simply delete your .crt file:

And update the CA store:

$ sudo update-ca-certificates --fresh

  1. Instal the ca-certificates package: # yum install ca-certificates
  2. Copy the certificate file to /etc/pki/ca-trust/source/anchors/: # cp mycert.crt /etc/pki/ca-trust/source/anchors/
  3. Update the certificate trusted store:
    # update-ca-trust force-enable
    # update-ca-trust extract

Adding a Trusted CA Certificate to Chrome and Firefox

After performing the above steps, all system tools will trust websites that use this CA. However, this will not affect the Mozilla Firefox or Google Chrome web browsers, as they will still show a warning message about the untrusted certificate.

First, install the package:

$ sudo apt install libnss3-tools

install libnss3-tools on linux

Once that’s done, websites with the given CA will be trusted by all browsers.

I need to add a .pem cert file to my default CA cert bundle but I don’t know where the default CA Cert bundle is kept.

I need to append my new .pem file to this default bundle. I’d rather do that than specify my own location using —capath

cURL clearly knows where to look but I don’t see any cURL commands that reveal the location. Is there a command that will reveal this location? How can I find it?

According to cURL:
Add the CA cert for your server to the existing default CA cert bundle.
The default path of the CA bundle used can be changed by running configure
with the —with-ca-bundle option pointing out the path of your choice.

asked Mar 7, 2013 at 13:01

Slinky's user avatar

3 gold badges15 silver badges26 bronze badges

Running curl with strace might give you a clue.

strace curl https://www.google.com |& grep open

Lots of output, but right near the end I see:

open("/etc/ssl/certs/578d5c04.0", O_RDONLY) = 4

which /etc/ssl/certs/ is where my certificates are stored.

rogerdpack's user avatar

2 gold badges8 silver badges22 bronze badges

answered Mar 7, 2013 at 14:33

Flup's user avatar

2 gold badges32 silver badges43 bronze badges

There should be a program ‘curl-config’ in curl’s ‘bin/’, i.e. where the ‘curl’ binary resides.

gives the ca bundle install path.

I just did a whatis curl-config: «Get information about a libcurl installation» so I guess it will only be available if libcurl was installed, which I presume is standard though.

answered Aug 24, 2015 at 13:17

lm713's user avatar

3 silver badges5 bronze badges

I found an easy way: use the --cacert with a wrong file name, the output will show the path.

~$ curl --cacert non_existing_file https://www.google.com
curl: (77) error setting certificate verify locations:
  CAfile: non_existing_file
  CApath: /etc/ssl/certs

answered May 25, 2016 at 12:41

Chananel P's user avatar

Chananel P

2 silver badges4 bronze badges

-v with https in the URL.

$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* timeout on name lookup is not supported
*   Trying 172.217.9.174...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to google.com (172.217.9.174) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   *CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt*

answered Oct 12, 2017 at 21:21

Philip Rego's user avatar

Philip Rego

1 gold badge5 silver badges14 bronze badges

Linux (Ubuntu, Debian)

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

Update the CA store

sudo update-ca-certificates

Remove your CA and update the CA store:

sudo update-ca-certificates --fresh

Linux (CentOs 6)

Install the ca-certificates package:

yum install ca-certificates

Enable the dynamic CA configuration feature: update-ca-trust force-enable
Add it as a new file to /etc/pki/ca-trust/source/anchors/:

cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

Linux (CentOs 5)

Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt

cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt

https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html very nice link,
which explains, how to add it to several popular OS.

answered Aug 13, 2019 at 12:14

BiG_NoBoDy's user avatar

1 silver badge8 bronze badges

you could download the CA Root Certificates bundle from haxx.se who are the creators of curl. then just append your certificate in their .pem and refer to it when using curl with the —cacert option

answered Aug 15, 2015 at 16:19

iammyr's user avatar

The default CA bundle location is OS dependent. On RHEL5, it is located in /etc/pki/tls/certs/ca-bundle.pem. On other flavors of Linux or non-linux OSes, it may be in a different location.

answered Mar 7, 2013 at 13:58

John's user avatar

1 gold badge29 silver badges34 bronze badges

You should be able to use OpenSSL for your purpose:

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

That command connects to the desired website and pipes the certificate in PEM format on to another openssl command that reads and parses the details.

(Note that «redundant» -servername parameter is necessary to make openssl do a request with SNI support.)

Greg Dubicki's user avatar

1 gold badge17 silver badges31 bronze badges

answered Jan 23, 2015 at 22:26

Pedro Perez's user avatar

Pedro Perez

1 gold badge11 silver badges11 bronze badges

Basic certificate info

That’s my everyday script:

curl --insecure -vvI https://www.example.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Los Angeles; O=Verizon Digital Media Services, Inc.; CN=www.example.org
*  start date: Dec 10 00:00:00 2021 GMT
*  expire date: Dec  9 23:59:59 2022 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5588e1f5ae30)
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* Connection #0 to host www.example.com left intact

Full certificate info

openssl s_client -connect www.example.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text

answered Jan 15, 2016 at 13:23

nmap -p 443 --script ssl-cert gnupg.org

The -p 443 specifies to scan port 443 only. All ports will be scanned if it is omitted, and the certificate details for any SSL service that is found will be displayed. The --script ssl-cert tells the Nmap scripting engine to run only the ssl-cert script. From the doc, this script «(r)etrieves a server’s SSL certificate. The amount of information printed about the certificate depends on the verbosity level.»

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-01 13:35 PDT
Nmap scan report for gnupg.org (217.69.76.60)
Host is up (0.16s latency).
Other addresses for gnupg.org (not scanned): (null)
rDNS record for 217.69.76.60: www.gnupg.org
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=gnupg.org
| Subject Alternative Name: DNS:gnupg.org, DNS:www.gnupg.org
| Issuer: commonName=Gandi Standard SSL CA 2/organizationName=Gandi/stateOrProvinceName=Paris/countryName=FR
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2015-12-21T00:00:00
| Not valid after:  2018-03-19T23:59:59
| MD5:   c3a7 e0ed 388f 87cb ec7f fd3e 71f2 1c3e
|_SHA-1: 5196 ecf5 7aed 139f a511 735b bfb5 7534 df63 41ba

Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds

answered Nov 1, 2017 at 20:37

Дополнительно:  Root permission for android application

Jose Quinteiro's user avatar

Depends on what kind of information you want, but:

openssl s_client -showcerts -connect gnupg.org:443

should give you most, although not as nicely human readable like Chrome presents it.

answered Jan 23, 2015 at 22:20

faker's user avatar

2 gold badges60 silver badges69 bronze badges

For completeness: if you have installed on your system Java 7 or higher

 keytool -printcert -sslserver $host[:$port]

shows the chain (as served) with nearly all details in a mostly rather ugly format.

Whether you should have Java installed on your system I do not answer.

answered Sep 19, 2018 at 20:27

dave_thompson_085's user avatar

function Retrieve-ServerCertFromSocket ($hostname, $port=443, $SNIHeader, [switch]$FailWithoutTrust)
{
    if (!$SNIHeader) {
        $SNIHeader = $hostname
    }

    $cert = $null
    try {
        $tcpclient = new-object System.Net.Sockets.tcpclient
        $tcpclient.Connect($hostname,$port)

        #Authenticate with SSL
        if (!$FailWithoutTrust) {
            $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false, {$true}
        } else {
            $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false
        }

        $sslstream.AuthenticateAsClient($SNIHeader)
        $cert =  [System.Security.Cryptography.X509Certificates.X509Certificate2]($sslstream.remotecertificate)

     } catch {
        throw "Failed to retrieve remote certificate from $hostname`:$port because $_"
     } finally {
        #cleanup
        if ($sslStream) {$sslstream.close()}
        if ($tcpclient) {$tcpclient.close()}        
     }    
    return $cert
}

This allows you to do some neat things like

#Save to file and open 
Retrieve-ServerCertFromSocket www.wrish.com 443 | Export-Certificate -FilePath C:\temp\test.cer ; start c:\temp\test.cer

#Display the cert details
Retrieve-ServerCertFromSocket www.wrish.com 443 | fl subject,*not*,Thumb*,ser*

answered Dec 14, 2016 at 16:06

Neossian's user avatar

2 silver badges5 bronze badges

If you only want the expiry date (which isn’t exactly the answer but is 9/10 what people use the Chrome cert details for), you can use:

Useful for scripts etc.

c4urself@eos ~ → which ssl_expiry
ssl_expiry () {
  echo | openssl s_client -connect ${1}:443 2> /dev/null | openssl x509 -noout -enddate
}
c4urself@eos ~ → ssl_expiry google.com
notAfter=Jun 12 16:54:00 2018 GMT

answered Apr 6, 2018 at 2:17

c4urself's user avatar

3 gold badges26 silver badges39 bronze badges

It’s great to double-check you have all info correct for re-issuing certs or validating existing ones, and also as few dependencies AND it requires no setup.

This is what the first few lines of the output look like:

$ ./check_certificate_chain.py gnupg.org 443

>> Certificate Chain:

 [+]*       OU=Domain Control Validated, OU=Gandi Standard SSL, CN=gnupg.org
 [+]**      C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
 [+]***     C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware

>> Certificate Information:

................................................................................
- [Subject]:        OU=Domain Control Validated, OU=Gandi Standard SSL, CN=gnupg.org
- [Issuer]:     C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
- [Valid from]:     Mar 18 00:00:00 2014 GMT
- [Valid until]:    Mar 18 23:59:59 2016 GMT
- [Authority]:      Is not a CA
- [Version]:        2
- [Serial No.]:     43845251655098616578492338727643475746
- [X.509 Extension Details]:
  -- [x509_authorityKeyIdentifier]:
       keyid:B6:A8:FF:A2:A8:2F:D0:A6:CD:4B:B1:68:F3:E7:50:10:31:A7:79:21 

What I like that instead of being a ssl-centric cli tool like openssl’s s_client, this one tries to just do the one job we need most of the time. Of course openssl is more flexible (i.e. also checking clientcerts, imaps on odd ports, etc) — but I don’t always need that.

answered Jan 24, 2015 at 1:34

Florian Heigl's user avatar

I use a shell script for this. It’s just a wrapper around the openssl command that saves me from remembering the syntax.

It provides options for parsing out most of the certificate information I’m typically interested in, or display raw openssl output.

Can either query a local certificate file, or a remote server.

$ ssl-cert-info --help
Usage: ssl-cert-info [options]

This shell script is a simple wrapper around the openssl binary. It uses
s_client to get certificate information from remote hosts, or x509 for local
certificate files. It can parse out some of the openssl output or just dump all
of it as text.

Options:

  --all-info   Print all output, including boring things like Modulus and 
               Exponent.

  --alt        Print Subject Alternative Names. These will be typically be 
               additional hostnames that the certificate is valid for.

  --cn         Print commonName from Subject. This is typically the host for 
               which the certificate was issued.

  --debug      Print additional info that might be helpful when debugging this
               script.

  --end        Print certificate expiration date. For additional functionality
               related to certificate expiration, take a look at this script:
               "http://prefetch.net/code/ssl-cert-check".

  --dates      Print start and end dates of when the certificate is valid.

  --file       Use a local certificate file for input.

  --help       Print this help message.

  --host       Fetch the certificate from this remote host.

  --issuer     Print the certificate issuer.

  --most-info  Print almost everything. Skip boring things like Modulus and
               Exponent.

  --option     Pass any openssl option through to openssl to get its raw
               output.

  --port       Use this port when conneting to remote host. If ommitted, port
               defaults to 443.

  --subject    Print the certificate Subject -- typically address and org name.

Examples:

  1. Print a list of all hostnames that the certificate used by amazon.com 
     is valid for.

     ssl-cert-info --host amazon.com --alt
     DNS:uedata.amazon.com
     DNS:amazon.com
     DNS:amzn.com
     DNS:www.amzn.com
     DNS:www.amazon.com

  2. Print issuer of certificate used by smtp.gmail.com. Fetch certficate info
     over port 465.

     ssl-cert-info --host smtp.gmail.com --port 465 --issuer
     issuer= 
         countryName               = US
         organizationName          = Google Inc
         commonName                = Google Internet Authority G2

  3. Print valid dates for the certificate, using a local file as the source of 
     certificate data. Dates are formatted using the date command and display
     time in your local timezone instead of GMT.

     ssl-cert-info --file /path/to/file.crt --dates
     valid from: 2014-02-04 16:00:00 PST
     valid till: 2017-02-04 15:59:59 PST


  4. Print certificate serial number. This script doesn't have a special option
     to parse out the serial number, so will use the generic --option flag to
     pass '-serial' through to openssl.

     ssl-cert-info --host gmail.com --option -serial
     serial=4BF004B4DDC9C2F8

You can get the script here: https://web.archive.org/web/20190528035412/http://giantdorks.org/alain/shell-script-to-check-ssl-certificate-info-like-expiration-date-and-subject/

icasimpan's user avatar

3 gold badges6 silver badges15 bronze badges

answered Sep 8, 2015 at 19:37

Alain Kelder's user avatar

nmap -sV -sC google.com -p 443

answered Jul 27, 2017 at 15:58

Sergio Rua's user avatar

You can also try the gnutls-cli tool from https://www.gnutls.org/:

echo | gnutls-cli serverfault.com

If you need the raw certificate data (in PEM format), add --print-cert.

answered Aug 5, 2020 at 12:55

jpbochi's user avatar

Showcert

showcert is openssl for humans. (showcert has only 1% of openssl features, but covers 99% of typical needs and much easier to use)

OpenSSL hates you

# two redirections, pipe, two invokation of same binary, extra 5 options (s_client,  -connect, x509, -inform, -text)
# And you probably want to add one more pipe and grep to extract what you need (expiration date) from two screens of output
# I forgot exact command to hack Pentagon, but it was little bit shorter

openssl s_client -connect github.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text

Install

pip3 install showcert

Usage

View remote HTTPS server cert (you will never forget syntax):

$ showcert github.com
IP: 140.82.121.3
Names: github.com www.github.com
notBefore: 2022-03-15 00:00:00 (337 days old)
notAfter: 2023-03-15 23:59:59 (28 days left)
Issuer: C=US O=DigiCert Inc CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1

View remote certificate for other ports/protocols, (with auto STARTTLS support for SMTP/IMAP/POP3):

$ showcert smtp.google.com:25
IP: 66.102.1.26
Names: mx.google.com smtp.google.com aspmx.l.google.com alt1.aspmx.l.google.com alt2.aspmx.l.google.com alt3.aspmx.l.google.com alt4.aspmx.l.google.com gmail-smtp-in.l.google.com alt1.gmail-smtp-in.l.google.com alt2.gmail-smtp-in.l.google.com alt3.gmail-smtp-in.l.google.com alt4.gmail-smtp-in.l.google.com gmr-smtp-in.l.google.com alt1.gmr-smtp-in.l.google.com alt2.gmr-smtp-in.l.google.com alt3.gmr-smtp-in.l.google.com alt4.gmr-smtp-in.l.google.com mx1.smtp.goog mx2.smtp.goog mx3.smtp.goog mx4.smtp.goog aspmx2.googlemail.com aspmx3.googlemail.com aspmx4.googlemail.com aspmx5.googlemail.com gmr-mx.google.com
notBefore: 2023-01-31 10:21:33 (15 days old)
notAfter: 2023-04-25 10:21:32 (68 days left)
Issuer: C=US O=Google Trust Services LLC CN=GTS CA 1C3

Save gmail SMTP certificate (whole chain) in PEM format:

$ showcert --chain -o pem smtp.google.com:25 > gmail-fullchain.pem
$ file gmail-fullchain.pem 
/tmp/gmail.pem: PEM certificate

Or you may use -o full to get openssl-style full dump (but I never really needed it).

It has other features (For example, it can warn you if any of installed LetsEncrypt certificates failed to renew and expires in N days), but main design principle: Simple things must be simple, more complex things may require additional CLI options.

Disclaimer: showcert is my hobby project, so I can be biased.

answered Feb 15 at 12:13

yaroslaff's user avatar

I came across this question and noticed I had answered something similar here: https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server/68277430#68277430

I also had the same challenge and next to that I discovered that openssl doesn’t return the root ca. I have built an alternative for specifically for this purpose which might be useful for other developers, see here: GitHub — Certificate ripper

crip print -u=https://gnupg.org
Certificates for url = https://gnupg.org

[
[
  Version: V3
  Subject: CN=gnupg.org
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 31584528901574007750301020287561448010695338445786656836820202222425310660293397103661612041262534815824710633384445406661552999674139683313292182907220124973641103147823211675629863952189464092250334775320079482164648964670152919444386631405421166704969790376810530092741753755204051610269112728244627288812180893123949732920362020211922819834221347165888182335229776214076417362141617456849548559339712503046241890787857054712025639768795686815610181667002438461217925898165006378013013126800098621764184263923324590864316888475244387674964001095520567493168508649309644487636171722874605322088933794460410194036701
  public exponent: 65537
  Validity: [From: Sat Mar 05 01:55:18 CET 2022,
               To: Fri Jun 03 02:55:17 CEST 2022]
  Issuer: CN=R3, O=Let's Encrypt, C=US
  SerialNumber: [    04b186e2 062aebcc b4c9ae1b 10c1777c c520]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 81 F5 04 81 F2 00 F0   00 76 00 DF A5 5E AB 68  .........v...^.h
0010: 82 4F 1F 6C AD EE B8 5F   4E 3E 5A EA CD A2 12 A4  .O.l..._N>Z.....
0020: 6A 5E 8E 3B 12 C0 20 44   5C 2A 73 00 00 01 7F 57  j^.;.. D\*s....W
0030: C9 D0 37 00 00 04 03 00   47 30 45 02 21 00 92 05  ..7.....G0E.!...
0040: 73 F3 19 12 C5 C3 0B 97   95 B3 C4 3B 65 46 C5 6C  s..........;eF.l
0050: 60 C4 61 52 77 0D 8C D7   CD 96 DE 82 87 B9 02 20  `.aRw..........
0060: 64 48 71 14 C4 11 95 3C   68 13 91 46 4F 72 77 01  dHq....<h..FOrw.
0070: FB 7F C8 8B 59 96 BD 2C   4B EA 51 61 8C 29 34 6A  ....Y..,K.Qa.)4j
0080: 00 76 00 29 79 BE F0 9E   39 39 21 F0 56 73 9F 63  .v.)y...99!.Vs.c
0090: A5 77 E5 BE 57 7D 9C 60   0A F8 F9 4D 5D 26 5C 25  .w..W..`...M]&\%
00A0: 5D C7 84 00 00 01 7F 57   C9 D0 27 00 00 04 03 00  ]......W..'.....
00B0: 47 30 45 02 21 00 BD 4F   C9 94 6A 0C 57 0F DF D8  G0E.!..O..j.W...
00C0: 10 8A 0C 09 35 31 30 AF   CE B6 8E B8 00 BC 4F 46  ....510.......OF
00D0: 56 91 C1 83 AF 20 02 20   3C 61 37 B3 09 AF EF 40  V.... . <a7....@
00E0: 22 F7 43 1F 46 07 EE AA   FC 3D A4 0E 3A 60 A5 E1  ".C.F....=..:`..
00F0: 95 E3 0B B3 30 0D 7E 78                            ....0..x


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://r3.o.lencr.org
,
   accessMethod: caIssuers
   accessLocation: URIName: http://r3.i.lencr.org/
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 14 2E B3 17 B7 58 56 CB   AE 50 09 40 E6 1F AF 9D  .....XV..P.@....
0010: 8B 14 C2 C6                                        ....
]
]

[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1A 68 74 74 70 3A 2F   2F 63 70 73 2E 6C 65 74  ..http://cps.let
0010: 73 65 6E 63 72 79 70 74   2E 6F 72 67              sencrypt.org

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: gnupg.org
  DNSName: www.gnupg.org
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 02 99 E2 B9 65 0A 77 F2   E5 9A 73 CE 9C 55 AF 7F  ....e.w...s..U..
0010: 5B AE BE 65                                        [..e
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 31 75 50 29 45 66 2B FA   52 F4 85 C3 E7 62 5F 09  1uP)Ef+.R....b_.
0010: 8C A9 18 3C 8E 4F 5A 4A   B2 B8 65 05 E0 2D 62 51  ...<.OZJ..e..-bQ
0020: 15 91 A2 78 A3 2A B6 B8   1F FD C8 D7 75 D2 98 E1  ...x.*......u...
0030: 2E 87 43 24 0C 38 60 E8   73 76 6C E4 7F 6C 3A DF  ..C$.8`.svl..l:.
0040: 56 5D AB DB B8 7F F7 F3   6C 43 AA CA A3 97 BF 32  V]......lC.....2
0050: D1 8C 20 D1 85 EB 43 DA   82 A9 08 DA 6C 2C CB CC  .. ...C.....l,..
0060: 75 8C D6 E8 A1 EA DF 82   E9 0C 33 B7 C9 0E 59 14  u.........3...Y.
0070: 9F 6D 4E 7E 6F BF 6B A9   F6 4C 82 19 48 9A 6F 8B  .mN.o.k..L..H.o.
0080: BE E7 F7 80 6F F6 15 AD   56 11 1C F1 7E C1 F4 CF  ....o...V.......
0090: C4 B7 5F C7 9F C0 0E 5A   47 46 AB FE 39 F3 7C 37  .._....ZGF..9..7
00A0: 2D 90 DE B5 5F F9 DE 51   E4 29 6F CA 6E C6 7A 21  -..._..Q.)o.n.z!
00B0: 00 3F 66 D0 24 06 77 73   5C 47 AD 4F D9 87 C7 FF  .?f.$.ws\G.O....
00C0: 93 0C 1B 27 A8 6D 53 DF   AC EF A3 54 C7 84 46 8F  ...'.mS....T..F.
00D0: EF BD 80 71 FD A4 6F 6B   06 37 9C 0A 96 14 16 04  ...q..ok.7......
00E0: F2 66 B5 80 D0 53 2C 73   3B 36 EE DC DE 59 37 52  .f...S,s;6...Y7R
00F0: 37 DA E6 A9 BA 83 A3 1D   EF B7 DC 1E 00 91 15 B3  7...............

]

========== NEXT CERTIFICATE FOR https://gnupg.org ==========

[
[
  Version: V3
  Subject: CN=R3, O=Let's Encrypt, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 23607590023527405233483514815960094733025362836439268915823566209453533788829410729612693188664033965601284889382200672291623712219351579442466292134025779170871903029675641332227720513370499414392174777629378433333281492782006644003508406669842374574620445942041275265465205367002253387972103578862358103547035353751037986892891938939537013712276962031758303128178118156019997818459064793797705051611931042977322694991611263911077235433119719504206173897534215486225391156231168313218127765624386188467360149426877213161912342004781300247624712380387337803861727744706241919394251136381590874774264144198228326996757
  public exponent: 65537
  Validity: [From: Fri Sep 04 02:00:00 CEST 2020,
               To: Mon Sep 15 18:00:00 CEST 2025]
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  SerialNumber: [    912b084a cf0c18a7 53f6d62e 25a75f5a]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://x1.i.lencr.org/
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4   01 73 80 08 88 C8 1A 58  y.Y......s.....X
0010: F6 E9 9B 6E                                        ...n
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://x1.c.lencr.org/]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
  serverAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 14 2E B3 17 B7 58 56 CB   AE 50 09 40 E6 1F AF 9D  .....XV..P.@....
0010: 8B 14 C2 C6                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 85 CA 4E 47 3E A3 F7 85   44 85 BC D5 67 78 B2 98  ..NG>...D...gx..
0010: 63 AD 75 4D 1E 96 3D 33   65 72 54 2D 81 A0 EA C3  c.uM..=3erT-....
0020: ED F8 20 BF 5F CC B7 70   00 B7 6E 3B F6 5E 94 DE  .. ._..p..n;.^..
0030: E4 20 9F A6 EF 8B B2 03   E7 A2 B5 16 3C 91 CE B4  . ..........<...
0040: ED 39 02 E7 7C 25 8A 47   E6 65 6E 3F 46 F4 D9 F0  .9...%.G.en?F...
0050: CE 94 2B EE 54 CE 12 BC   8C 27 4B B8 C1 98 2F A2  ..+.T....'K.../.
0060: AF CD 71 91 4A 08 B7 C8   B8 23 7B 04 2D 08 F9 08  ..q.J....#..-...
0070: 57 3E 83 D9 04 33 0A 47   21 78 09 82 27 C3 2A C8  W>...3.G!x..'.*.
0080: 9B B9 CE 5C F2 64 C8 C0   BE 79 C0 4F 8E 6D 44 0C  ...\.d...y.O.mD.
0090: 5E 92 BB 2E F7 8B 10 E1   E8 1D 44 29 DB 59 20 ED  ^.........D).Y .
00A0: 63 B9 21 F8 12 26 94 93   57 A0 1D 65 04 C1 0A 22  c.!..&..W..e..."
00B0: AE 10 0D 43 97 A1 18 1F   7E E0 E0 86 37 B5 5A B1  ...C........7.Z.
00C0: BD 30 BF 87 6E 2B 2A FF   21 4E 1B 05 C3 F5 18 97  .0..n+*.!N......
00D0: F0 5E AC C3 A5 B8 6A F0   2E BC 3B 33 B9 EE 4B DE  .^....j...;3..K.
00E0: CC FC E4 AF 84 0B 86 3F   C0 55 43 36 F6 68 E1 36  .......?.UC6.h.6
00F0: 17 6A 8E 99 D1 FF A5 40   A7 34 B7 C0 D0 63 39 35  .j.....@.4...c95
0100: 39 75 6E F2 BA 76 C8 93   02 E9 A9 4B 6C 17 CE 0C  9un..v.....Kl...
0110: 02 D9 BD 81 FB 9F B7 68   D4 06 65 B3 82 3D 77 53  .......h..e..=wS
0120: F8 8E 79 03 AD 0A 31 07   75 2A 43 D8 55 97 72 C4  ..y...1.u*C.U.r.
0130: 29 0E F7 C4 5D 4E C8 AE   46 84 30 D7 F2 85 5F 18  )...]N..F.0..._.
0140: A1 79 BB E7 5E 70 8B 07   E1 86 93 C3 B9 8F DC 61  .y..^p.........a
0150: 71 25 2A AF DF ED 25 50   52 68 8B 92 DC E5 D6 B5  q%*...%PRh......
0160: E3 DA 7D D0 87 6C 84 21   31 AE 82 F5 FB B9 AB C8  .....l.!1.......
0170: 89 17 3D E1 4C E5 38 0E   F6 BD 2B BD 96 81 14 EB  ..=.L.8...+.....
0180: D5 DB 3D 20 A7 7E 59 D3   E2 F8 58 F9 5B B8 48 CD  ..= ..Y...X.[.H.
0190: FE 5C 4F 16 29 FE 1E 55   23 AF C8 11 B0 8D EA 7C  .\O.)..U#.......
01A0: 93 90 17 2F FD AC A2 09   47 46 3F F0 E9 B0 B7 FF  .../....GF?.....
01B0: 28 4D 68 32 D6 67 5E 1E   69 A3 93 B8 F5 9D 8B 2F  (Mh2.g^.i....../
01C0: 0B D2 52 43 A6 6F 32 57   65 4D 32 81 DF 38 53 85  ..RC.o2WeM2..8S.
01D0: 5D 7E 5D 66 29 EA B8 DD   E4 95 B5 CD B5 56 12 42  ].]f)........V.B
01E0: CD C4 4E C6 25 38 44 50   6D EC CE 00 55 18 FE E9  ..N.%8DPm...U...
01F0: 49 64 D4 4E CA 97 9C B4   5B C0 73 A8 AB B8 47 C2  Id.N....[.s...G.

]

========== NEXT CERTIFICATE FOR https://gnupg.org ==========

[
[
  Version: V3
  Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  params: null
  modulus: 709477870415445373015359016562426660610553770685944520893298396600226760899977879191004898543350831842119174188613678136510262472550532722234131754439181090009824131001234702144200501816519311599904090606194984753842587622398776018408050245574116028550608708896478977104703101364577377554823893350339376892984086676842821506637376561471221178677513035811884589888230947855482554780924844280661412982827405878164907670403886160896655313460186264922042760067692235383478494519985672059698752915965998412445946254227413232257276525240006651483130792248112417425846451951438781260632137645358927568158361961710185115502577127010922344394993078948994750404287047493247048147066090211292167313905862438457453781042040498702821432013765502024105065778257759178356925494156447570322373310256999609083201778278588599854706241788119448943034477370959349516873162063461521707809689839710972753590949570167489887658749686740890549110678989462474318310617765270337415238713770800711236563610171101328052424145478220993016515262478543813796899677215192789612682845145008993144513547444131126029557147570005369943143213525671105288817016183804256755470528641042403865830064493168693765438364296560479053823886598989258655438933191724193029337334607
  public exponent: 65537
  Validity: [From: Wed Jan 20 20:14:03 CET 2021,
               To: Mon Sep 30 20:14:03 CEST 2024]
  Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
  SerialNumber: [    40017721 37d4e942 b8ee76aa 3c640ab7]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA   DB E1 4B 90 75 FF C4 15  .....,q...K.u...
0010: 60 85 89 10                                        `...
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 22 68 74 74 70 3A 2F   2F 63 70 73 2E 72 6F 6F  ."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74   73 65 6E 63 72 79 70 74  t-x1.letsencrypt
0020: 2E 6F 72 67                                        .org

]]  ]
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4   01 73 80 08 88 C8 1A 58  y.Y......s.....X
0010: F6 E9 9B 6E                                        ...n
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 0A 73 00 6C 96 6E FF 0E   52 D0 AE DD 8C E7 5A 06  .s.l.n..R.....Z.
0010: AD 2F A8 E3 8F BF C9 0A   03 15 50 C2 E5 6C 42 BB  ./........P..lB.
0020: 6F 9B F4 B4 4F C2 44 88   08 75 CC EB 07 9B 14 62  o...O.D..u.....b
0030: 6E 78 DE EC 27 BA 39 5C   F5 A2 A1 6E 56 94 70 10  nx..'.9\...nV.p.
0040: 53 B1 BB E4 AF D0 A2 C3   2B 01 D4 96 F4 C5 20 35  S.......+..... 5
0050: 33 F9 D8 61 36 E0 71 8D   B4 B8 B5 AA 82 45 95 C0  3..a6.q......E..
0060: F2 A9 23 28 E7 D6 A1 CB   67 08 DA A0 43 2C AA 1B  ..#(....g...C,..
0070: 93 1F C9 DE F5 AB 69 5D   13 F5 5B 86 58 22 CA 4D  ......i]..[.X".M
0080: 55 E4 70 67 6D C2 57 C5   46 39 41 CF 8A 58 83 58  U.pgm.W.F9A..X.X
0090: 6D 99 FE 57 E8 36 0E F0   0E 23 AA FD 88 97 D0 E3  m..W.6...#......
00A0: 5C 0E 94 49 B5 B5 17 35   D2 2E BF 4E 85 EF 18 E0  \..I...5...N....
00B0: 85 92 EB 06 3B 6C 29 23   09 60 DC 45 02 4C 12 18  ....;l)#.`.E.L..
00C0: 3B E9 FB 0E DE DC 44 F8   58 98 AE EA BD 45 45 A1  ;.....D.X....EE.
00D0: 88 5D 66 CA FE 10 E9 6F   82 C8 11 42 0D FB E9 EC  .]f....o...B....
00E0: E3 86 00 DE 9D 10 E3 38   FA A4 7D B1 D8 E8 49 82  .......8......I.
00F0: 84 06 9B 2B E8 6B 4F 01   0C 38 77 2E F9 DD E7 39  ...+.kO..8w....9

]

========== NEXT CERTIFICATE FOR https://gnupg.org ==========

[
[
  Version: V3
  Subject: CN=DST Root CA X3, O=Digital Signature Trust Co.
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 28237887677026032203151777657129561581522073060401233851894187952595640780665579499663841407267510759260214748789212535957135845654219821366017427323985352100172211628961551647178765278465245040619994286316630852210928184346090961906367138096715766033171261107313432772299467819936678634109708967378829013418649505942485529500580167736159568208924601034682852941882633722952597854385181938557682865139545636282689862459897027632511916072421459210380987954549724536623494064393973052186448977570989493998685404014473715688796607543139914669307234440905936555495044671225489918726010863829142065064843131427399159251549
  public exponent: 65537
  Validity: [From: Sat Sep 30 23:12:19 CEST 2000,
               To: Thu Sep 30 16:01:15 CEST 2021]
  Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
  SerialNumber: [    44afb080 d6a327ba 89303986 2ef8406b]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA   DB E1 4B 90 75 FF C4 15  .....,q...K.u...
0010: 60 85 89 10                                        `...
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: A3 1A 2C 9B 17 00 5C A9   1E EE 28 66 37 3A BF 83  ..,...\...(f7:..
0010: C7 3F 4B C3 09 A0 95 20   5D E3 D9 59 44 D2 3E 0D  .?K.... ]..YD.>.
0020: 3E BD 8A 4B A0 74 1F CE   10 82 9C 74 1A 1D 7E 98  >..K.t.....t....
0030: 1A DD CB 13 4B B3 20 44   E4 91 E9 CC FC 7D A5 DB  ....K. D........
0040: 6A E5 FE E6 FD E0 4E DD   B7 00 3A B5 70 49 AF F2  j.....N...:.pI..
0050: E5 EB 02 F1 D1 02 8B 19   CB 94 3A 5E 48 C4 18 1E  ..........:^H...
0060: 58 19 5F 1E 02 5A F0 0C   F1 B1 AD A9 DC 59 86 8B  X._..Z.......Y..
0070: 6E E9 91 F5 86 CA FA B9   66 33 AA 59 5B CE E2 A7  n.......f3.Y[...
0080: 16 73 47 CB 2B CC 99 B0   37 48 CF E3 56 4B F5 CF  .sG.+...7H..VK..
0090: 0F 0C 72 32 87 C6 F0 44   BB 53 72 6D 43 F5 26 48  ..r2...D.SrmC.&H
00A0: 9A 52 67 B7 58 AB FE 67   76 71 78 DB 0D A2 56 14  .Rg.X..gvqx...V.
00B0: 13 39 24 31 85 A2 A8 02   5A 30 47 E1 DD 50 07 BC  .9$1....Z0G..P..
00C0: 02 09 90 00 EB 64 63 60   9B 16 BC 88 C9 12 E6 D2  .....dc`........
00D0: 7D 91 8B F9 3D 32 8D 65   B4 E9 7C B1 57 76 EA C5  ....=2.e....Wv..
00E0: B6 28 39 BF 15 65 1C C8   F6 77 96 6A 0A 8D 77 0B  .(9..e...w.j..w.
00F0: D8 91 0B 04 8E 07 DB 29   B6 0A EE 9D 82 35 35 10  .......).....55.

]

answered Mar 31, 2022 at 7:11

Дополнительно:  Undelete for root user

Hakan54's user avatar

I’m using some weird script to do this:

date --date="$(curl --insecure -vvI https://v1.d13.ovh 2>&1 | grep "expire date" | awk '{print $4,$5,$6,$7,$8,$9}')" +%s

answered May 9, 2022 at 10:02

Dmitriy's user avatar

$ gnutls-cli --print-cert serverfault.com < /dev/null | openssl x509  -inform pem -noout -text -dates
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:67:98:53:7f:1f:64:c2:2c:8f:57:d8:17:96:01:e8:6d:30
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: May  8 13:13:04 2022 GMT
            Not After : Aug  6 13:13:03 2022 GMT
        Subject: CN = *.stackexchange.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:46:73:ad:d6:1d:be:56:a0:aa:bf:1d:a6:e0:
                    62:ed:45:b4:d1:81:d2:aa:53:1d:de:db:48:6c:bc:
                    7b:37:53:3d:d2:9a:ae:50:a8:78:ae:c2:c1:c0:70:
                    c1:c7:de:55:91:6d:d0:22:07:71:73:61:d9:a7:9c:
                    f9:c6:6b:40:42:ce:b6:69:05:18:32:b1:34:61:40:
                    69:3b:88:5b:aa:33:da:8f:0f:ad:eb:c2:9f:02:92:
                    cf:76:2e:39:8f:b9:66:a6:12:9f:34:a4:e9:13:fc:
                    3f:e0:53:89:e1:43:32:24:62:54:af:6e:44:57:4b:
                    a5:6d:74:a5:ef:98:e0:42:66:13:f8:64:2b:2c:3c:
                    0c:54:d5:18:d8:51:60:73:db:59:9d:c5:05:b0:8f:
                    53:74:ec:55:e0:2f:21:0f:79:49:73:a0:d9:f0:ae:
                    d3:17:e2:3d:50:fb:cf:d9:81:5c:23:6a:fa:ae:8f:
                    92:f4:42:af:95:b3:28:80:d9:db:f5:68:16:f5:eb:
                    2d:84:91:2a:ad:d7:9d:c4:f6:91:83:08:8e:bc:cd:
                    27:8c:d5:2d:ea:71:34:2d:9e:d9:fd:59:46:33:f6:
                    b0:c4:e5:fa:a6:0b:09:6d:cb:7c:aa:de:01:b0:52:
                    3b:af:87:fa:b6:16:52:4a:45:54:1e:ce:4d:68:e4:
                    d0:89
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                8F:95:08:25:6C:87:32:5C:2C:BC:C7:2D:30:1E:69:F5:26:36:BF:D7
            X509v3 Authority Key Identifier: 
                14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name: 
                DNS:*.askubuntu.com, DNS:*.blogoverflow.com, DNS:*.mathoverflow.net, DNS:*.meta.stackexchange.com, DNS:*.meta.stackoverflow.com, DNS:*.serverfault.com, DNS:*.sstatic.net, DNS:*.stackexchange.com, DNS:*.stackoverflow.com, DNS:*.stackoverflow.email, DNS:*.superuser.com, DNS:askubuntu.com, DNS:blogoverflow.com, DNS:mathoverflow.net, DNS:openid.stackauth.com, DNS:serverfault.com, DNS:sstatic.net, DNS:stackapps.com, DNS:stackauth.com, DNS:stackexchange.com, DNS:stackoverflow.blog, DNS:stackoverflow.com, DNS:stackoverflow.email, DNS:stacksnippets.net, DNS:superuser.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
                                EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
                    Timestamp : May  8 14:13:04.851 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:39:CE:40:26:A2:CE:3E:80:70:EC:13:8E:
                                70:BF:21:33:1F:9A:17:67:6B:46:6B:DC:BC:55:57:E7:
                                4B:CC:5E:2C:02:20:2F:B5:07:A1:63:56:34:FB:FE:20:
                                AC:05:62:1B:1F:FA:FD:2F:EC:2C:E9:F6:96:87:A5:B7:
                                85:E4:FC:C2:0B:2D
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
                                11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
                    Timestamp : May  8 14:13:04.897 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:F8:AA:7D:72:B4:E2:FB:C1:E2:31:98:
                                83:33:AD:17:32:C8:CD:C7:E4:3B:2A:3D:61:73:AC:BC:
                                69:26:B4:7C:95:02:20:55:DA:0A:4C:27:E3:9B:39:96:
                                88:07:BF:7D:5A:B7:DC:83:E7:7D:14:AE:E8:76:28:48:
                                A7:D5:89:47:19:B4:47
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        a0:f9:b8:ff:b3:1e:c6:ba:e5:bd:ab:62:d5:b9:76:09:97:41:
        ef:69:b2:48:1a:87:f6:98:7b:03:0e:03:15:0d:50:15:9c:6c:
        0d:b8:4c:34:5d:fc:a6:98:b4:40:71:48:60:d1:67:21:af:e5:
        da:9c:e6:35:83:c4:53:4b:8b:1a:f1:ee:54:ef:85:48:f5:c3:
        a5:9d:9e:69:ec:45:40:23:3b:e2:d8:2c:0d:70:58:91:a7:82:
        5f:e7:5e:4b:6a:f6:ab:dc:ea:b1:12:9d:83:b2:95:79:99:ef:
        4e:f4:41:9f:8e:21:49:c3:61:e0:9d:f1:e9:6a:96:b2:33:7e:
        04:66:d2:29:fe:c1:a0:b8:3d:95:c2:68:28:f1:87:e3:99:cd:
        18:34:89:9e:9e:99:ca:03:69:1c:7e:4d:41:90:96:2c:3e:b2:
        36:d7:0c:48:b5:5f:c7:5b:93:d3:ff:35:a3:51:ff:10:af:ac:
        cf:7d:cd:6d:ab:5b:d6:8a:21:a5:bd:b0:24:9c:2f:bd:65:fd:
        05:d6:cf:6f:a1:67:77:06:a6:54:b6:9e:0c:5e:cc:2a:28:f8:
        af:f0:9e:02:f8:28:f6:74:47:3f:d2:db:6a:6c:23:cf:53:61:
        de:eb:91:8b:42:28:e4:d6:f3:75:56:d3:41:fd:68:ed:fd:a3:
        7f:14:7e:db
notBefore=May  8 13:13:04 2022 GMT
notAfter=Aug  6 13:13:03 2022 GMT

answered Jul 5, 2022 at 11:34

fisprak's user avatar

Оцените статью
Master Hi-technology
Добавить комментарий