FreeKB - View SSL certificate using CURL on Linux
View SSL certificate using CURL on Linux

Home > Search


When a server is configured to use SSL/TLS so that packets exchanged between the client and server are encrypted, the client will need to obtain the certificate from the server. For example, the following diagram illustrates how a client would obtain the certificate from an HTTPS web server.

 

The CURL command can be used to identify the certificate that the server presents to the client.

curl --verbose https://www.example.com

 

If a certificate is being presented, basic information about the certificate should be displayed.

* Server certificate:
*        subject:     CN=example.com,OU=foo,O=bar
*        start date:  Jan 01 2019
*        expire date: Jan 01 2021
*        common name: example.com
*        issuer:      CN=VeriSign Certification Authority

 


NSS error -12286

If you get NSS error 12286 when attempting to connect to a site, try updating curl and nss.

yum update curl
yum update nss

 


Target URL

You only need to use the hostname of the web server, such as www.example.com or www.google.com or www.freekb.net. In other words, there is no need to use a sub directory, such as www.example.com/foo/bar, since the certificate would be provided by just www.example.com.

curl --verbose https://www.example.com

 


grep the output

Curl writes output to stderr, not stdout, you'll need to use 2>&1 if you want to pipe the output to grep.

curl --verbose https://www.example.com 2>&1 | grep expire

*        expire date: Jan 01 2021

 


define timeout to prevent hangs

Issues can cause cURL to hang sometimes. To prevent cURL from hanging for to long, you can use the -m or ---max-time option followed by the number of seconds that cURL should hold tight before closing the connection to the remove server. In this second, cURL will timeout after 10 seconds.

curl --max-time 10 https://www.example.com

 


--insecure (certificate authority not recognized)

If the -k or --insecure option are not used, cURL will only get certificates that have been issued by a trusted certificate authority (CA). If you want to get certificates from both a trusted and untrusted certificate authority, use the -k or --insecure option.

curl --verbose --insecure https://www.example.com

 


Certificate chain

Let's say there is a certificate chain, like this. cURL will only get the server certificate. If you need to determine each certificate used in the certificate chain, you are much better off using openSSL.

  - example.com (root certificate)
  -- example.com (intermediate certificate)
  --- *.example.com (server certificate)


  



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments