{"id":13581858,"url":"https://github.com/pete911/certinfo","last_synced_at":"2025-04-12T21:29:13.583Z","repository":{"id":38329407,"uuid":"269476961","full_name":"pete911/certinfo","owner":"pete911","description":"print x509 certificate info","archived":false,"fork":false,"pushed_at":"2025-04-01T16:18:16.000Z","size":972,"stargazers_count":229,"open_issues_count":0,"forks_count":14,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-04T01:09:09.539Z","etag":null,"topics":["go","golang","ssl-certificate","ssl-certificates","tls-certificate","tls-certificates","x509certificates"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pete911.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-04T22:19:36.000Z","updated_at":"2025-04-01T16:17:29.000Z","dependencies_parsed_at":"2023-02-18T08:01:08.811Z","dependency_job_id":"e3f9e383-0d38-4e47-b783-8a4a1df3c10f","html_url":"https://github.com/pete911/certinfo","commit_stats":null,"previous_names":[],"tags_count":32,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pete911%2Fcertinfo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pete911%2Fcertinfo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pete911%2Fcertinfo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pete911%2Fcertinfo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pete911","download_url":"https://codeload.github.com/pete911/certinfo/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248634217,"owners_count":21137004,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","ssl-certificate","ssl-certificates","tls-certificate","tls-certificates","x509certificates"],"created_at":"2024-08-01T15:02:16.895Z","updated_at":"2025-04-12T21:29:13.562Z","avatar_url":"https://github.com/pete911.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# print x509 certificate info\n\n[![pipeline](https://github.com/pete911/certinfo/actions/workflows/pipeline.yml/badge.svg)](https://github.com/pete911/certinfo/actions/workflows/pipeline.yml)\n\nSimilar to `openssl x509 -in \u003cfile\u003e -text` command, but handles chains, multiple files and TCP addresses. TLS/SSL\nversion prints as well when using TCP address argument.\n\n## usage\n\n```shell script\ncertinfo [flags] [\u003cfile\u003e|\u003chost:port\u003e ...]\n```\n\n**file** argument can be:\n - **local file path** `certinfo \u003cfilename\u003e`\n - **TCP network address** `certinfo \u003chost:port\u003e` e.g. `certinfo google.com:443`\n - **stdin** `echo \"\u003ccert-content\u003e\" | certinfo`\n\n```\n+-------------------------------------------------------------------------------------------------------------------+\n| optional flags |\n+---------------+---------------------------------------------------------------------------------------------------+\n| -chains | whether to print verified chains as well |\n| -expiry | print expiry of certificates |\n| -extensions | whether to print extensions |\n| -insecure | whether a client verifies the server's certificate chain and host name (only applicable for host) |\n| -issuer-like | print certificates with subject field containing supplied string |\n| -no-duplicate | do not print duplicate certificates |\n| -no-expired | do not print expired certificates |\n| -pem | whether to print pem as well |\n| -pem-only | whether to print only pem (useful for downloading certs from host) |\n| -server-name | verify the hostname on the returned certificates, useful for testing SNI |\n| -sort-expiry | sort certificates by expiration date |\n| -subject-like | print certificates with issuer field containing supplied string |\n| -version | certinfo version |\n| -help | help |\n+---------------+---------------------------------------------------------------------------------------------------+\n```\n\nIf you need to run against multiple hosts, it is faster to execute command with multiple arguments e.g.\n`certinfo -insecure -expiry google.com:443 amazon.com:443 ...` rather than executing command multiple times. Args are\nexecuted concurrently and much faster.\n\nFlags can be set as env. variable as well (`CERTINFO_\u003cFLAG\u003e=true` e.g. `CERTINFO_INSECURE=true`) and can be then\noverridden with a flag.\n\n## download\n\n - [binary](https://github.com/pete911/certinfo/releases)\n\n## build/install\n\n### brew\n\n- add tap `brew tap pete911/tap`\n- install `brew install certinfo`\n\n### go\n\n[go](https://golang.org/dl/) has to be installed.\n - build `make build`\n - install `make install`\n\n## release\n\nReleases are published when the new tag is created e.g.\n`git tag -m \"add super cool feature\" v1.0.0 \u0026\u0026 git push --follow-tags`\n\n## examples\n\n### remove expired and malformed certs\n\n- `--pem-only` flag returns only pem blocks that can be parsed and are type of certificate\n- `--no-expired` flag removes expired certificates\n\n`certinfo --pem-only --no-expired \u003cchain-file\u003e.pem \u003e \u003cnew-chain-file\u003e.pem`\n\n### info/verbose\n\n`certinfo vault.com:443`\n```\n--- [vault.com:443 TLS 1.2] ---\nVersion: 3\nSerial Number: 16280914906313700456\nSignature Algorithm: SHA256-RSA\nType: end-entity\nIssuer: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US\nValidity\n Not Before: Mar 24 10:44:12 2022 UTC\n Not After : Mar 19 13:04:10 2023 UTC\nSubject: CN=*.vault.com\nDNS Names: *.vault.com, vault.com\nIP Addresses:\nAuthority Key Id: 40c2bd278ecc348330a233d7fb6cb3f0b42c80ce\nSubject Key Id : 6b8c8d1da18cbb8cd64437ed0a9c8a0fef673821\nKey Usage: Digital Signature, Key Encipherment\nExt Key Usage: Server Auth, Client Auth\nCA: false\n\nVersion: 3\nSerial Number: 7\nSignature Algorithm: SHA256-RSA\nType: intermediate\nIssuer: CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US\nValidity\n Not Before: May 3 07:00:00 2011 UTC\n Not After : May 3 07:00:00 2031 UTC\nSubject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US\nDNS Names:\nIP Addresses:\nAuthority Key Id: 3a9a8507106728b6eff6bd05416e20c194da0fde\nSubject Key Id : 40c2bd278ecc348330a233d7fb6cb3f0b42c80ce\nKey Usage: Cert Sign, CRL Sign\nExt Key Usage:\nCA: true\n\nVersion: 3\nSerial Number: 1828629\nSignature Algorithm: SHA256-RSA\nType: intermediate\nIssuer: OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\\, Inc.,C=US\nValidity\n Not Before: Jan 1 07:00:00 2014 UTC\n Not After : May 30 07:00:00 2031 UTC\nSubject: CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US\nDNS Names:\nIP Addresses:\nAuthority Key Id: d2c4b0d291d44c1171b361cb3da1fedda86ad4e3\nSubject Key Id : 3a9a8507106728b6eff6bd05416e20c194da0fde\nKey Usage: Cert Sign, CRL Sign\nExt Key Usage:\nCA: true\n\n--- 1 verified chains ---\n```\n\n### info/expiry\n\n`certinfo -expiry google.com:443`\n```\n--- [google.com:443 TLS 1.3] ---\nSubject: CN=*.google.com\nExpiry: 2 months 4 days 14 hours 41 minutes\n\nSubject: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US\nExpiry: 4 years 6 months 19 days 5 hours 29 minutes\n\nSubject: CN=GTS Root R1,O=Google Trust Services LLC,C=US\nExpiry: 4 years 10 months 17 days 4 hours 29 minutes\n```\n\n### show certificate with specific subject\nThis example shows AWS RDS certificates for specific region (we can also see AWS started using 100 years expiration)\n- show only eu-west-2 certs `curl https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem | certinfo -issuer-like eu-west-2`\n- download only eu-west-2 certs `curl https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem | certinfo -issuer-like eu-west-2 -pem-only \u003e rds-eu-west-2.pem`\n\n### verify SNI certificates\nSpecific host can be set by `server-name` flag. This is useful if we need to verify that load balancer is correctly\nusing certificates for different hosts: `certinfo -server-name \u003chost\u003e \u003cload-balancer|proxy\u003e` e.g.\n`certinfo -server-name tabletmag.com cname.vercel-dns.com:443` (tabletmag certificate behind vercel).\n\n### local root certs\n\n- linux `ls -d /etc/ssl/certs/* | grep '.pem' | xargs certinfo -expiry`\n- mac `cat /etc/ssl/cert.pem | certinfo -expiry`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpete911%2Fcertinfo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpete911%2Fcertinfo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpete911%2Fcertinfo/lists"}