It is sometimes helpful to get the details, not least the fingerprint, of a remote server’s TLS certificate from the command line.
Unfortunately, I’m not aware of any tool which is readily available on the typical Linux system to make this particularly easy.
Fortunately, one can be cobbled together using OpenSSL, which is rather universally available.
The first step is to get the certificate data itself in PEM format:
true | openssl s_client -connect www.example.com:443 -showcerts -no_ign_eof -certform PEM 2>/dev/null
The true |
at the beginning simply provides an empty standard input to the OpenSSL connecting process, and I explicitly specify -no_ign_eof
to make sure it will exit once there is no more data to be read from standard input (which in this case will be immediately). The 2>/dev/null
silences the complete output from the certificate chain validation; you can use -verify_quiet
instead, which in the absence of certificate chain problems has almost, but not quite, the same effect.
Note that since openssl s_client
is a general-purpose debugging tool, the TCP port number must be specified. For HTTPS web sites, the typical port number is 443. If you are connecting by IP address, you can use -servername something.example.com
to set the SNI server name in the TLS session.
Given the certificate data in PEM format from the above command, openssl x509
can be used to display information about the certificate:
openssl x509 -in filename.pem -noout -text -sha256 -fingerprint
where filename.pem
contains the output from the previous command. If -in
is not specified, then certificate data is read from standard input.
Useful variations are -text
to print lots of technical details from the certificate, and -sha256 -fingerprint
to print the SHA-256 fingerprint. Including both will cause both to be printed. If for some reason you need the insecure MD5 fingerprint, use -md5
instead of -sha256
. Fingerprints are printed in colon-separated hexadecimal notation.
Putting all of this together, we get the following somewhat long command:
true | openssl s_client -connect www.example.com:443 -showcerts -no_ign_eof -certform PEM 2>/dev/null | openssl x509 -noout -sha256 -fingerprint
If you want to introduce something like torsocks
to this, it should generally go with the openssl s_client
command, as that is the part that is actually making the outbound network connection:
true | torsocks openssl s_client -connect www.example.com:443 -showcerts -no_ign_eof -certform PEM 2>/dev/null | openssl x509 -noout -sha256 -fingerprint
Both of these will, if successful, print the SHA-256 fingerprint of the TLS certificate received from the server. Currently, this results in this single line of output:
sha256 Fingerprint=5E:F2:F2:14:26:0A:B8:F5:8E:55:EE:A4:2E:4A:C0:4B:0F:17:18:07:D8:D1:18:5F:DD:D6:74:70:E9:AB:60:96
And there it is!