使用 CLI 工具显示远程 SSL 证书详细信息

使用 CLI 工具显示远程 SSL 证书详细信息

在 Chrome 中,单击绿色 HTTPS 锁定图标将打开一个包含证书详细信息的窗口:

在此处输入图片描述

当我使用 cURL 尝试相同操作时,我只得到了部分信息:

$ curl -vvI https://gnupg.org
* Rebuilt URL to: https://gnupg.org/
* Hostname was NOT found in DNS cache
*   Trying 217.69.76.60...
* Connected to gnupg.org (217.69.76.60) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: gnupg.org
* Server certificate: Gandi Standard SSL CA
* Server certificate: UTN-USERFirst-Hardware
> HEAD / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: gnupg.org
> Accept: */*

知道如何从命令行工具(cURL 或其他)获取完整的证书信息吗?

答案1

您应该能够使用 OpenSSL 来实现您的目的:

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

该命令连接到所需的网站,并将 PEM 格式的证书传送到另一个读取和解析详细信息的 openssl 命令。

(请注意,“冗余”-servername参数对于发出openssl支持 SNI 的请求是必需的。)

答案2

基本证书信息

这是我的日常脚本:

curl --insecure -vvI https://www.example.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

输出:

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Los Angeles; O=Verizon Digital Media Services, Inc.; CN=www.example.org
*  start date: Dec 10 00:00:00 2021 GMT
*  expire date: Dec  9 23:59:59 2022 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5588e1f5ae30)
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* Connection #0 to host www.example.com left intact

完整证书信息

openssl s_client -connect www.example.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text

答案3

nmap -p 443 --script ssl-cert gnupg.org

指定-p 443仅扫描端口 443。如果省略,则将扫描所有端口,并显示找到的任何 SSL 服务的证书详细信息--script ssl-certNmap 脚本引擎仅运行ssl-cert脚本。从文档中可以看出,此脚本“检索服务器的 SSL 证书。打印的有关证书的信息量取决于详细程度。”

示例输出:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-01 13:35 PDT
Nmap scan report for gnupg.org (217.69.76.60)
Host is up (0.16s latency).
Other addresses for gnupg.org (not scanned): (null)
rDNS record for 217.69.76.60: www.gnupg.org
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=gnupg.org
| Subject Alternative Name: DNS:gnupg.org, DNS:www.gnupg.org
| Issuer: commonName=Gandi Standard SSL CA 2/organizationName=Gandi/stateOrProvinceName=Paris/countryName=FR
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2015-12-21T00:00:00
| Not valid after:  2018-03-19T23:59:59
| MD5:   c3a7 e0ed 388f 87cb ec7f fd3e 71f2 1c3e
|_SHA-1: 5196 ecf5 7aed 139f a511 735b bfb5 7534 df63 41ba

Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds

答案4

为了完整性:如果您已经在系统上安装了Java 7 或更高版本

 keytool -printcert -sslserver $host[:$port]

显示(如服务所示)几乎所有细节都以一种相当丑陋的格式呈现。

不管你应该您的系统上是否安装了 Java 我不回答。

相关内容