{"id":21464243,"url":"https://github.com/shuque/tlscertcheck","last_synced_at":"2025-07-04T00:05:16.438Z","repository":{"id":143298489,"uuid":"168466447","full_name":"shuque/tlscertcheck","owner":"shuque","description":"TLS certificate checking tool","archived":false,"fork":false,"pushed_at":"2020-08-02T14:55:08.000Z","size":45,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-04T00:03:37.869Z","etag":null,"topics":["certificate","checking","tls","x509"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shuque.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-01-31T05:08:10.000Z","updated_at":"2023-10-16T17:42:08.000Z","dependencies_parsed_at":"2023-05-11T22:30:20.357Z","dependency_job_id":null,"html_url":"https://github.com/shuque/tlscertcheck","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/shuque/tlscertcheck","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Ftlscertcheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Ftlscertcheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Ftlscertcheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Ftlscertcheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shuque","download_url":"https://codeload.github.com/shuque/tlscertcheck/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Ftlscertcheck/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263421884,"owners_count":23464046,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","checking","tls","x509"],"created_at":"2024-11-23T07:30:29.762Z","updated_at":"2025-07-04T00:05:16.306Z","avatar_url":"https://github.com/shuque.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# tlscertcheck\nTLS certificate checking tool\n\nCheck the TLS certificates on a given set of HTTPS server IP addresses\nand print out identifying information about the certificates. Optionally,\nmatch those certificates against a specified certificate identifier. The\noriginal purpose of this program was to provide a way to quickly inspect\nthe certificates of a pool of servers to see if they all had the expected\nconfiguration.\n\n\n### Pre-requisites:\n\n* Python 3\n* OpenSSL\n* M2Crypto module (Python interface to OpenSSL)\n  (I recommend version 0.29 or later that includes the set1_host()\n  function that correctly does certificate name checking.)\n\n\n### Usage and options:\n\n```\n$ tlscertcheck.py --help\nUsage: tlscertcheck.py [Options] \u003chost1\u003e \u003chost2\u003e ...\n\n    Options:\n    --help            Print this help message\n    --verbose         Verbose mode; print details of certificate\n    --printchain      Print full certificate chain if verbose is specified\n    --silent          No output, just set response code\n    --port=N          Use specified port (default: 443)\n    --ipversion=N     Use only specified IP version for resolving hosts (4 or 6)\n    --sni=\u003cname\u003e      For IP address arguments, set SNI extension to given name\n    --match=\u003cid\u003e      Check that certficates match given id\n    --usefp           Use SHA1 fingerprint of DER-encoded cert as id\n    --timeout=N       Timeout per connection in seconds (default: 10.0)\n    --infile=\u003cfile\u003e   Read server addresses from given file\n    --cacert=\u003cfile\u003e   Use given file for trusted root CAs (PEM format)\n    --noverify        Don't perform certificate verification\n    --onlyerror       Only print errors for each server\n    --summary         Print summary at the end\n    --m2warn          Print warning if missing M2Crypto library features\n```\n\nThe host1, host2 etc arguments can either be IP addresses or hostnames.\nThe main output format is the following, one line per server IP address:\n\n```\n\u003ccertid\u003e \u003cipaddr\u003e \u003chostname\u003e\n```\n\nThe \"certid\" is a combination of the serial number and issuer hash,\nwhich should uniquely identify a certificate. This should provide an\neasy way to inspect whether all of the servers have the same certificate.\nThe \"--usefp\" option can be specified to alternatively use the SHA1\nfingerprint of the DER-encoding of the full certificate as the certid.\n\nFor an IP address argument, the \"hostname\" is the name returned by reverse\nDNS lookup (PTR record) of the IP address. For a hostname argument, the\nprogram resolves all IPv4 or IPv6 addresses of the hostname and checks each\none.\n\nThe \"--match\" option can be used to specify a certid that all the\nserver certificates are compared to. An error message is printed for\neach server that does not match, and if any fail to match, the program's\nexit code is set to 1 (zero otherwise).\n\nThe \"--infile\" option can be used to specify a file containing the list\nof IP addresses (one per line) instead of specifying them on the command\nline.\n\nThe \"--verbose\" option will print more verbose info about each certificate,\nsuch as: serial number, issuer, subject, SAN dNSNames, inception and\nexpiration times.\n\nThe \"--printchain\" option (when specified with --verbose) will also print\nthe details of the full certificate chain.\n\nThe \"--cacert\" option can be used to specify a file containing root\ncertification authorities to trust (as a sequence of PEM format CA\ncertificates). The default cacert file is hardcoded into the program\n(typically where it is found on many Linux distributions). Note: that\nthis program does not do certificate name checking, since it is designed\nto connect to servers by IP address.\n\nThe \"--noverify\" option can be used to turn off certificate verification.\n\n\n### Example runs\n\n\n```\n$ tlscertcheck.py --summary 10.61.133.16 10.61.132.182 10.61.133.196\n2e02c81977ca118098382df7e2ec96b:4bcd7fc5        10.61.133.16 host1.example.com\n2e02c81977ca118098382df7e2ec96b:4bcd7fc5        10.61.132.182 host2.example.com\n2e02c81977ca118098382df7e2ec96b:4bcd7fc5        10.61.133.196 host3.example.com\n\n## SUMMARY:\n## Number of servers: 3 (ok 3, error 0)\n## Number of distinct certs seen: 1\n## [3] 2e02c81977ca118098382df7e2ec96b:4bcd7fc5 10.61.133.16 10.61.132.182 10.61.133.196\n\n$ echo $?\n0\n```\n\n```\n$ tlscertcheck.py --verbose --printchain 1.1.1.1\n1cce318de9f567fab2b24901fada71d:35be5bbd        1.1.1.1 one.one.one.one\n## Host one.one.one.one address 1.1.1.1\n## TLS: TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-256\n## ----------- Certificate at Depth=0:\n## Serial    : 1cce318de9f567fab2b24901fada71d\n## Issuer    : C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA\n## Subject   : C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com\n## SAN: DNS:cloudflare-dns.com\n## SAN: DNS:*.cloudflare-dns.com\n## SAN: DNS:one.one.one.one\n## SAN: IP Address:1.1.1.1\n## SAN: IP Address:1.0.0.1\n## SAN: IP Address:162.159.132.53\n## SAN: IP Address:2606:4700:4700:0:0:0:0:1111\n## SAN: IP Address:2606:4700:4700:0:0:0:0:1001\n## SAN: IP Address:2606:4700:4700:0:0:0:0:64\n## SAN: IP Address:2606:4700:4700:0:0:0:0:6400\n## SAN: IP Address:162.159.36.1\n## SAN: IP Address:162.159.46.1\n## Inception : 2019-01-28 00:00:00+00:00 UTC\n## Expiration: 2021-02-01 12:00:00+00:00 UTC\n## AKI: keyid:A3:9D:E6:1F:F9:DA:39:4F:C0:6E:E8:91:CB:95:A5:DA:31:E2:0A:9F\n## SKI: 70:95:DC:5C:A3:8E:66:07:DB:CB:81:10:C6:AB:E7:C3:A8:45:7F:A0\n## keyUsage: Digital Signature\n## extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication\n## crlDistributionPoints: \u003cpresent\u003e\n## Policy: 2.16.840.1.114412.1.1\n## Policy: CPS: https://www.digicert.com/CPS\n## Policy: 2.23.140.1.2.2\n## AuthorityInfoAccess: OCSP - URI:http://ocsp.digicert.com\n## AuthorityInfoAccess: CA Issuers - URI:http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt\n## basicConstraints: CA:FALSE\n## ct_precert_scts: \u003cpresent\u003e\n## ----------- Certificate at Depth=1:\n## Serial    : acb28ba465ee53908767470f3cdc612\n## Issuer    : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA\n## Subject   : C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA\n## Inception : 2013-03-08 12:00:00+00:00 UTC\n## Expiration: 2023-03-08 12:00:00+00:00 UTC\n## basicConstraints: CA:TRUE, pathlen:0\n## keyUsage: Digital Signature, Certificate Sign, CRL Sign\n## AuthorityInfoAccess: OCSP - URI:http://ocsp.digicert.com\n## crlDistributionPoints: \u003cpresent\u003e\n## Policy: X509v3 Any Policy\n## Policy: CPS: https://www.digicert.com/CPS\n## SKI: A3:9D:E6:1F:F9:DA:39:4F:C0:6E:E8:91:CB:95:A5:DA:31:E2:0A:9F\n## AKI: keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55\n```\n\n```\n$ tlscertcheck.py --verbose www.ietf.org\ne8e7fa116fb7d651:f131ccf4       2606:4700:10::6814:55 www.ietf.org\n## Host www.ietf.org address 2606:4700:10::6814:55\n## TLS: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-256\n## Serial    : e8e7fa116fb7d651\n## Issuer    : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2\n## Subject   : OU=Domain Control Validated, CN=*.ietf.org\n## SAN: DNS:*.ietf.org\n## SAN: DNS:ietf.org\n## Inception : 2018-06-12 15:44:12+00:00 UTC\n## Expiration: 2019-08-11 23:12:50+00:00 UTC\n## basicConstraints: CA:FALSE\n## extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication\n## keyUsage: Digital Signature, Key Encipherment\n## crlDistributionPoints: \u003cpresent\u003e\n## Policy: 2.16.840.1.114414.1.7.23.1\n## Policy: CPS: http://certificates.starfieldtech.com/repository/\n## Policy: 2.23.140.1.2.1\n## AuthorityInfoAcces: OCSP - URI:http://ocsp.starfieldtech.com/\n## AuthorityInfoAcces: CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt\n## authorityInfoAccess: OCSP - URI:http://ocsp.starfieldtech.com/\nCA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt\n## AKI: keyid:25:45:81:68:50:26:38:3D:3B:2D:2C:BE:CD:6A:D9:B6:3D:B3:66:63\n## SKI: 06:FE:0B:AB:D8:E6:74:6E:FC:C4:73:02:85:F7:A9:48:7E:D1:34:4F\n## ct_precert_scts: \u003cpresent\u003e\n\ne8e7fa116fb7d651:f131ccf4       2606:4700:10::6814:155 www.ietf.org\n## Host www.ietf.org address 2606:4700:10::6814:155\n## TLS: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-256\n## Serial    : e8e7fa116fb7d651\n## Issuer    : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2\n## Subject   : OU=Domain Control Validated, CN=*.ietf.org\n## SAN: DNS:*.ietf.org\n## SAN: DNS:ietf.org\n## Inception : 2018-06-12 15:44:12+00:00 UTC\n## Expiration: 2019-08-11 23:12:50+00:00 UTC\n## basicConstraints: CA:FALSE\n## extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication\n## keyUsage: Digital Signature, Key Encipherment\n## crlDistributionPoints: \u003cpresent\u003e\n## Policy: 2.16.840.1.114414.1.7.23.1\n## Policy: CPS: http://certificates.starfieldtech.com/repository/\n## Policy: 2.23.140.1.2.1\n## AuthorityInfoAcces: OCSP - URI:http://ocsp.starfieldtech.com/\n## AuthorityInfoAcces: CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt\n## authorityInfoAccess: OCSP - URI:http://ocsp.starfieldtech.com/\nCA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt\n## AKI: keyid:25:45:81:68:50:26:38:3D:3B:2D:2C:BE:CD:6A:D9:B6:3D:B3:66:63\n## SKI: 06:FE:0B:AB:D8:E6:74:6E:FC:C4:73:02:85:F7:A9:48:7E:D1:34:4F\n## ct_precert_scts: \u003cpresent\u003e\n\ne8e7fa116fb7d651:f131ccf4       104.20.0.85 www.ietf.org\n## Host www.ietf.org address 104.20.0.85\n## TLS: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-256\n## Serial    : e8e7fa116fb7d651\n## Issuer    : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2\n## Subject   : OU=Domain Control Validated, CN=*.ietf.org\n## SAN: DNS:*.ietf.org\n## SAN: DNS:ietf.org\n## Inception : 2018-06-12 15:44:12+00:00 UTC\n## Expiration: 2019-08-11 23:12:50+00:00 UTC\n## basicConstraints: CA:FALSE\n## extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication\n## keyUsage: Digital Signature, Key Encipherment\n## crlDistributionPoints: \u003cpresent\u003e\n## Policy: 2.16.840.1.114414.1.7.23.1\n## Policy: CPS: http://certificates.starfieldtech.com/repository/\n## Policy: 2.23.140.1.2.1\n## AuthorityInfoAcces: OCSP - URI:http://ocsp.starfieldtech.com/\n## AuthorityInfoAcces: CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt\n## authorityInfoAccess: OCSP - URI:http://ocsp.starfieldtech.com/\nCA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt\n## AKI: keyid:25:45:81:68:50:26:38:3D:3B:2D:2C:BE:CD:6A:D9:B6:3D:B3:66:63\n## SKI: 06:FE:0B:AB:D8:E6:74:6E:FC:C4:73:02:85:F7:A9:48:7E:D1:34:4F\n## ct_precert_scts: \u003cpresent\u003e\n\ne8e7fa116fb7d651:f131ccf4       104.20.1.85 www.ietf.org\n## Host www.ietf.org address 104.20.1.85\n## TLS: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-256\n## Serial    : e8e7fa116fb7d651\n## Issuer    : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2\n## Subject   : OU=Domain Control Validated, CN=*.ietf.org\n## SAN: DNS:*.ietf.org\n## SAN: DNS:ietf.org\n## Inception : 2018-06-12 15:44:12+00:00 UTC\n## Expiration: 2019-08-11 23:12:50+00:00 UTC\n## basicConstraints: CA:FALSE\n## extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication\n## keyUsage: Digital Signature, Key Encipherment\n## crlDistributionPoints: \u003cpresent\u003e\n## Policy: 2.16.840.1.114414.1.7.23.1\n## Policy: CPS: http://certificates.starfieldtech.com/repository/\n## Policy: 2.23.140.1.2.1\n## AuthorityInfoAcces: OCSP - URI:http://ocsp.starfieldtech.com/\n## AuthorityInfoAcces: CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt\n## authorityInfoAccess: OCSP - URI:http://ocsp.starfieldtech.com/\nCA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt\n## AKI: keyid:25:45:81:68:50:26:38:3D:3B:2D:2C:BE:CD:6A:D9:B6:3D:B3:66:63\n## SKI: 06:FE:0B:AB:D8:E6:74:6E:FC:C4:73:02:85:F7:A9:48:7E:D1:34:4F\n## ct_precert_scts: \u003cpresent\u003e\n```\n\n```\n$ tlscertcheck.py expired.badssl.com\nERROR: TLS certificate verify failed: Cert has expired: 104.154.89.105 expired.badssl.com\n```\n\n```\n$ tlscertcheck.py self-signed.badssl.com\nERROR: TLS certificate verify failed: Self Signed certificate: 104.154.89.105 self-signed.badssl.com\n```\n\n```\n$ tlscertcheck.py untrusted-root.badssl.com\nERROR: TLS certificate verify failed: Unable to get issuer cert locally: 104.154.89.105 untrusted-root.badssl.com\n```\n\n```\n$ tlscertcheck.py wrong.host.badssl.com\nERROR: Certificate name mismatch: 104.154.89.105 wrong.host.badssl.com\n1f202031dfda98efdff0f72be51060d:4bcd7fc4        104.154.89.105 wrong.host.badssl.com\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshuque%2Ftlscertcheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshuque%2Ftlscertcheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshuque%2Ftlscertcheck/lists"}