{"id":18770039,"url":"https://github.com/yaroslaff/showcert","last_synced_at":"2025-04-04T11:08:27.648Z","repository":{"id":51794020,"uuid":"502541770","full_name":"yaroslaff/showcert","owner":"yaroslaff","description":"Simple OpenSSL for humans: all you need for X.509 TLS certificates (and nothing more).","archived":false,"fork":false,"pushed_at":"2025-02-19T22:10:46.000Z","size":88,"stargazers_count":96,"open_issues_count":0,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-28T10:02:48.285Z","etag":null,"topics":["cert","certificate","certificates","cli","crt","expiration","expiration-control","generate","https","inspect","letsencrypt","network","openssl","pem","python","python3","shell","ssl","tls","x509"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yaroslaff.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-12T06:53:52.000Z","updated_at":"2025-03-18T07:47:59.000Z","dependencies_parsed_at":"2023-12-22T14:02:01.915Z","dependency_job_id":"b04773b9-9c5c-4456-a015-4b0b8be3e59c","html_url":"https://github.com/yaroslaff/showcert","commit_stats":{"total_commits":73,"total_committers":1,"mean_commits":73.0,"dds":0.0,"last_synced_commit":"3779a7d4c682c180c42eec9302c1835e25bef72d"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yaroslaff%2Fshowcert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yaroslaff%2Fshowcert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yaroslaff%2Fshowcert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yaroslaff%2Fshowcert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yaroslaff","download_url":"https://codeload.github.com/yaroslaff/showcert/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247166144,"owners_count":20894652,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cert","certificate","certificates","cli","crt","expiration","expiration-control","generate","https","inspect","letsencrypt","network","openssl","pem","python","python3","shell","ssl","tls","x509"],"created_at":"2024-11-07T19:17:52.589Z","updated_at":"2025-04-04T11:08:27.633Z","avatar_url":"https://github.com/yaroslaff.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# showcert - simple OpenSSL for humans\n\n![Run tests and upload coverage](https://github.com/yaroslaff/showcert/actions/workflows/main.yml/badge.svg)\n[![codecov](https://codecov.io/github/yaroslaff/showcert/graph/badge.svg?token=VOACSID3PP)](https://codecov.io/github/yaroslaff/showcert)\n[![PyPI version](https://badge.fury.io/py/showcert.svg)](https://badge.fury.io/py/showcert)\n![PyPI - Python Version](https://img.shields.io/pypi/pyversions/showcert)\n\nshowcert consist of two CLI utilities: `showcert` itself - all 'read' operations with X.509 certificates and `gencert` - to create certificates for development purposes.\n\nshowcert tries to follow these principles:\n- Simple things must be simple. More complex things may require some options. \n- Be simple and cover 9/10 routine certificate-related tasks.\n- If showcert missing some rarely used feature and user needs to use openssl for it - okay.\n\n\n## showcert\nmicro-cheatsheet (only 5 most often used commands):\n~~~bash\n# Remote:\nshowcert github.com\nshowcert smtp.google.com:25\n# save remote certificate or whole --chain\nshowcert --chain -o pem google.com \u003e google-fullchain.pem\n\n# Local:\n# -i for insecure (process self-signed or expired certificates)\nshowcert -i /etc/ssl/certs/ssl-cert-snakeoil.pem\n# letsencrypt-special sugar\nsudo showcert -q :le -w50 || echo local LetsEncrypt certificates will expire in less then 50 days\n~~~\n\n~~~bash\n# You will never forget how to use it:\n$ showcert github.com\nIP: 140.82.121.3\nNames: github.com www.github.com\nnotBefore: 2022-03-15 00:00:00 (182 days old)\nnotAfter: 2023-03-15 23:59:59 (183 days left)\nIssuer: C=US O=DigiCert Inc CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1\n\n# Compare it against openssl:\n# two redirections, pipe, two invocations and 5 unneeded options\n$ openssl s_client -connect github.com:443 \u003c/dev/null 2\u003e/dev/null | openssl x509 -inform pem -text\n\n# View Google SMTP server cert. starttls mode selected automatically. Same for POP3/IMAP and any simple TLS service\n$ showcert smtp.google.com:25\n\n# Save full chain of google.com certificates to local PEM file\n$ showcert --chain -o pem google.com \u003e google-fullchain.pem\n\n# Warn about any LetsEncrypt cert which will expire in 50 days or less\n# :le is just special token, replaced to /etc/letsencrypt/live/*/fullchain.pem\n$ sudo showcert -q :le -w50 || echo panic\n/etc/letsencrypt/live/my.example.com/fullchain.pem expires in 47 days\npanic\n~~~\n\n### STARTTLS implementation\nshowcert has built-in support for STARTTLS for SMTP (port 25), POP3 (port 110) and IMAP (port 143). You can select proper method with `--starttls` option (or disable it with `--starttls no`), but default value (`auto`) is OK for most cases. This option is needed only if you test servers on non-standard ports.\n\n### Exit code\nshowcert will return non-zero exit code (1) in case of any error (including expired certificate or host mismatch).\nIf `-w DAYS` used, non-zero (2) will be returned for valid certificates, which will expire in `DAYS` days or sooner.\n\n### Usage\n\n~~~shell\n$ bin/showcert -h\nusage: showcert [-h] [-i] [--output OUTPUT] [-c] [-w [DAYS]] [-q] [-n NAME] [-t METHOD] [-l TIME]\n [--ca CA] [--net]\n CERT [CERT ...]\n\nShow local/remote SSL certificate info v0.1.15\n\npositional arguments:\n CERT path, - (stdin), \":le\" (letsencrypt cert path), hostname or hostname:port\n\noptional arguments:\n -h, --help show this help message and exit\n -i, --insecure Do not verify remote certificate\n --output OUTPUT, -o OUTPUT\n output format: brief, full, names, dnames (for certbot), pem, no.\n -c, --chain Show chain (not only server certificate)\n -w [DAYS], --warn [DAYS]\n Warn about expiring certificates (def: 20 days)\n\nRarely needed options:\n -q, --quiet Quiet mode, same as --output no\n -n NAME, --name NAME name for SNI (if not same as CERT host)\n -t METHOD, --starttls METHOD\n starttls method: auto (default, and OK almost always), no, imap, smtp, pop3\n -l TIME, --limit TIME\n socket timeout (def: 5)\n --ca CA path to trusted CA certificates, def: /usr/local/lib/python3.9/dist-packages/certifi/cacert.pem\n --net Force network check (if you want to check host and have file/dir with same name in current directory)\n\nExamples: \n # just check remote certificate\n bin/showcert example.com\n\n # check SMTP server certificate (autodetected: --starttls smtp )\n bin/showcert smtp.google.com:25\n\n # save fullchain from google SMTP to local PEM file\n bin/showcert --chain -o pem google.com \u003e google-fullchain.pem\n \n # look for expiring letsencrypt certificates \n # :le is alias for /etc/letsencrypt/live/*/fullchain.pem \n bin/showcert :le -q -w 20 || echo \"expiring soon!\"\n~~~\n\n## gencert\nGencert is simple tool to quickly generate X.509 certificates **for development purposes**.\nI am not sure if they are very secure. Do not use it in real production!\n\n### Generate self-signed cert\n~~~shell\ngencert example.com www.example.com\n~~~\nThis will make `example.com.pem` file with both certificate and key in one file. Add `--key example.com.key` to store key in separate file. Add `--cert mycert.pem` to store certificate in different file name.\n\n### Your own CA in two simple commands\nGenerate CA cert/key:\n~~~shell\ngencert --ca \"My own CA\"\n~~~\nThis will make My-own-CA.pem and private key My-own-CA.key (Override with `--cert` and `--key`).\n\nGenerate signed certificate:\n~~~shell\ngencert --cacert My-own-CA.pem example.com\n~~~\nDone!\n\n`--cacert` is required, `--cakey` is optional (omitted in example), gencert will look for CA private key in following order:\n- in`--cakey` PEM file (if given)\n- in `--cacert` PEM file (if will be found there). \n- guessed filename. If `--cacert` is CA.pem, gencert will try to load from CA.key.\n\n\nYou may verify certificate with showcert and openssl:\n~~~shell\n# verify with showcert (unless '-i' given, showcert expects a valid certificate)\n$ showcert --ca MyCA.pem example.com.pem\nNames: example.com\nnotBefore: 2024-01-26 11:30:24 (0 days old)\nnotAfter: 2025-01-25 11:30:24 (364 days left)\nIssuer: CN=MyCA\n\n# verify with openssl\n$ openssl verify -CAfile MyCA.pem example.com.pem \nexample.com.pem: OK\n~~~\n\n## Installation\n`pipx install showcert`\n\nOr right from repo: `pipx install git+https://github.com/yaroslaff/showcert` \n\nOr use old way via pip/pip3:\n- `pip3 install showcert` (just install)\n- `pip3 install -U showcert` (upgrade)\n- `pip3 install -U git+https://github.com/yaroslaff/showcert` (install/upgrade from git)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyaroslaff%2Fshowcert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyaroslaff%2Fshowcert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyaroslaff%2Fshowcert/lists"}