Linux display SSL cert of website from command line

If you want to display details of an SSL certificate that is returned by a website from the Linux commandline, you can use this command.

1. Install required packages

In order to use the command below, the “openssl” package is required. You can install this package with this command:

sudo dnf install openssl

Or with yum:

sudo yum install openssl

2. Execute command-line command.

Execute the following statement in the Linux terminal.

echo | openssl s_client -showcerts -servername lanedirt.tech -connect lanedirt.etch:443 2>/dev/null | openssl x509 -inform pem -noout -text

Replace “lanedirt.tech” with the website you would like to see the SSL cert information for.

This command establishes a TLS connection to the target website on port 443 using OpenSSL’s s_client, specifically requesting the server’s SSL certificates. After fetching the certificates, the command then extracts the main certificate from the stream and uses openssl x509 to display its detailed information in a human-readable format. The 2>/dev/null part ensures that any error messages from the process are discarded and not shown in the output.

The command above returns output like this, which includes information about the certificate itself, common names, expiration dates etc.

[user@linux01 public_html]$ echo | openssl s_client -showcerts -servername lanedirt.tech -connect lanedirt.tech:443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:3c:7d:89:aa:ca:3b:08:21:a7:40:56:a1:9c:f7:cb:2b:5e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Sep 15 21:10:38 2023 GMT
            Not After : Dec 14 21:10:37 2023 GMT
        Subject: CN = lanedirt.tech
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:64:59:ac:66:39:5f:73:81:2d:67:6b:c5:be:a3:
                    31:57:9e:76:f7:25:87:1e:72:8a:17:6f:f1:90:88:
                    6f:20:63:78:45:2c:99:81:da:9c:e3:1a:ca:1d:71:
                    5d:1b:20:f6:32:b2:d1:72:e7:73:ef:1d:18:85:c6:
                    9c:87:97:b3:06
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                E0:5E:AB:ED:41:AD:9B:E1:87:23:34:81:0E:1D:B5:70:F3:9F:F2:63
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name:
                DNS:lanedirt.tech, DNS:www.lanedirt.tech
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
                                16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
                    Timestamp : Sep 15 22:10:38.789 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:38:78:FB:74:F5:EA:21:46:D6:62:86:22:
                                52:35:04:72:31:D8:91:59:30:2C:9A:8B:18:10:CA:1D:
                                05:68:73:F8:02:20:35:75:08:D1:04:44:BC:EB:E3:3C:
                                89:42:73:A8:A4:35:E7:8D:97:98:F5:C5:E0:3F:34:89:
                                10:05:93:33:17:C8
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
                                03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
                    Timestamp : Sep 15 22:10:38.804 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:BB:1D:D1:B2:A7:B7:BA:A5:31:C4:B7:
                                CB:6C:0B:8F:A1:90:BB:4E:CA:B2:E9:13:75:40:27:4D:
                                4B:14:B8:D3:F0:02:20:58:31:08:AA:9A:3C:3E:F7:F8:
                                11:04:6A:C3:CD:47:BC:3E:B7:35:0D:87:B6:D2:97:6D:
                                69:50:C4:94:F2:7B:03
    Signature Algorithm: sha256WithRSAEncryption
         82:0d:19:5b:38:90:ac:04:23:65:5a:53:38:87:f2:da:6d:95:
         77:43:ed:8e:8d:18:91:92:7c:55:5b:a9:db:9d:be:aa:ad:6b:
         6d:4f:d4:77:33:0e:aa:51:f4:e1:e2:77:9a:85:14:e6:6a:5e:
         27:ef:4a:34:c8:73:c8:7e:b4:93:23:32:f0:4e:8d:68:d1:f0:
         4e:f4:f5:39:5f:72:53:f9:17:0b:b8:c6:fe:56:3d:72:e0:88:
         66:65:47:35:f4:fe:2c:ff:dc:a0:3b:97:2c:01:30:1c:4a:1e:
         1f:6a:95:1b:c3:de:40:20:87:f6:25:c9:02:ba:50:0c:63:90:
         3f:86:5e:7b:e6:d6:53:bd:c4:1f:c9:db:26:e1:48:63:f8:f0:
         59:80:c7:5e:d7:de:a1:79:cf:6a:7a:29:ff:b2:ef:bd:b5:20:
         73:83:b1:c0:47:16:72:ac:19:d2:86:f5:36:ed:be:f2:8f:d5:
         d2:a2:a9:39:62:6b:01:ff:f7:67:d8:78:a3:17:fe:ff:00:b1:
         18:a5:b8:ee:78:b7:3a:fc:c5:f1:95:4b:49:07:dd:d1:ea:f4:
         64:e9:19:04:f2:f4:62:a0:17:0b:59:9e:bb:7a:27:df:ac:33:
         22:83:59:94:6a:34:fe:bb:0a:d2:72:ff:7f:e0:86:31:1f:42:
         e5:08:85:cb

By Leendert de Borst

Freelance software architect with 10+ years of experience. Expert in translating complex technical problems into creative & simple solutions.

Leave a comment

Your email address will not be published. Required fields are marked *