When a server is configured to use SSL/TLS so that packets exchanged between the client and server are encrypted, the client will need to obtain the certificate from the server. For example, the following diagram illustrates how a client would obtain the certificate from an HTTPS web server.

The CURL command can be used to identify the certificate that the server presents to the client.

curl --verbose https://www.example.com

If a certificate is being presented, basic information about the certificate should be displayed.

* Server certificate:
*        subject:     CN=example.com,OU=foo,O=bar
*        start date:  Jan 01 2019
*        expire date: Jan 01 2021
*        common name: example.com
*        issuer:      CN=VeriSign Certification Authority

NSS error -12286

If you get NSS error 12286 when attempting to connect to a site, try updating curl and nss.

yum update curl
yum update nss

Target URL

You only need to use the hostname of the web server, such as www.example.com or www.google.com or www.freekb.net. In other words, there is no need to use a sub directory, such as www.example.com/foo/bar, since the certificate would be provided by just www.example.com.

curl --verbose https://www.example.com

grep the output

Curl writes output to stderr, not stdout, you'll need to use 2>&1 if you want to pipe the output to grep.

curl --verbose https://www.example.com 2>&1 | grep expire

*        expire date: Jan 01 2021

define timeout to prevent hangs

Issues can cause cURL to hang sometimes. To prevent cURL from hanging for to long, you can use the -m or ---max-time option followed by the number of seconds that cURL should hold tight before closing the connection to the remove server. In this second, cURL will timeout after 10 seconds.

curl --max-time 10 https://www.example.com

--insecure (certificate authority not recognized)

If the -k or --insecure option are not used, cURL will only get certificates that have been issued by a trusted certificate authority (CA). If you want to get certificates from both a trusted and untrusted certificate authority, use the -k or --insecure option.

curl --verbose --insecure https://www.example.com

Certificate chain

Let's say there is a certificate chain, like this. cURL will only get the server certificate. If you need to determine each certificate used in the certificate chain, you are much better off using openSSL.

- example.com (root certificate)
-- example.com (intermediate certificate)
--- *.example.com (server certificate)