在 Chrome 中,单击绿色 HTTPS 锁定图标将打开一个包含证书详细信息的窗口:
当我使用 cURL 尝试相同操作时,我只得到了部分信息:
$ curl -vvI https://gnupg.org
* Rebuilt URL to: https://gnupg.org/
* Hostname was NOT found in DNS cache
* Trying 217.69.76.60...
* Connected to gnupg.org (217.69.76.60) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: gnupg.org
* Server certificate: Gandi Standard SSL CA
* Server certificate: UTN-USERFirst-Hardware
> HEAD / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: gnupg.org
> Accept: */*
知道如何从命令行工具(cURL 或其他)获取完整的证书信息吗?
答案1
您应该能够使用 OpenSSL 来实现您的目的:
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
该命令连接到所需的网站,并将 PEM 格式的证书传送到另一个读取和解析详细信息的 openssl 命令。
(请注意,“冗余”-servername
参数对于发出openssl
支持 SNI 的请求是必需的。)
答案2
基本证书信息
这是我的日常脚本:
curl --insecure -vvI https://www.example.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
输出:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=Los Angeles; O=Verizon Digital Media Services, Inc.; CN=www.example.org
* start date: Dec 10 00:00:00 2021 GMT
* expire date: Dec 9 23:59:59 2022 GMT
* issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5588e1f5ae30)
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* Connection #0 to host www.example.com left intact
完整证书信息
openssl s_client -connect www.example.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text
答案3
nmap -p 443 --script ssl-cert gnupg.org
指定-p 443
仅扫描端口 443。如果省略,则将扫描所有端口,并显示找到的任何 SSL 服务的证书详细信息--script ssl-cert
。Nmap 脚本引擎仅运行ssl-cert
脚本。从文档中可以看出,此脚本“检索服务器的 SSL 证书。打印的有关证书的信息量取决于详细程度。”
示例输出:
Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-01 13:35 PDT
Nmap scan report for gnupg.org (217.69.76.60)
Host is up (0.16s latency).
Other addresses for gnupg.org (not scanned): (null)
rDNS record for 217.69.76.60: www.gnupg.org
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=gnupg.org
| Subject Alternative Name: DNS:gnupg.org, DNS:www.gnupg.org
| Issuer: commonName=Gandi Standard SSL CA 2/organizationName=Gandi/stateOrProvinceName=Paris/countryName=FR
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2015-12-21T00:00:00
| Not valid after: 2018-03-19T23:59:59
| MD5: c3a7 e0ed 388f 87cb ec7f fd3e 71f2 1c3e
|_SHA-1: 5196 ecf5 7aed 139f a511 735b bfb5 7534 df63 41ba
Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds
答案4
为了完整性:如果您已经在系统上安装了Java 7 或更高版本
keytool -printcert -sslserver $host[:$port]
显示链(如服务所示)几乎所有细节都以一种相当丑陋的格式呈现。
不管你应该您的系统上是否安装了 Java 我不回答。