It is sometimes helpful to get the details, not least the fingerprint, of a remote server’s TLS certificate from the command line.

Unfortunately, I’m not aware of any tool which is readily available on the typical Linux system to make this particularly easy.

Fortunately, one can be cobbled together using OpenSSL, which is rather universally available.

The first step is to get the certificate data itself in PEM format:

true | openssl s_client -connect www.example.com:443 -showcerts -no_ign_eof -certform PEM 2>/dev/null

The true | at the beginning simply provides an empty standard input to the OpenSSL connecting process, and I explicitly specify -no_ign_eof to make sure it will exit once there is no more data to be read from standard input (which in this case will be immediately). The 2>/dev/null silences the complete output from the certificate chain validation; you can use -verify_quiet instead, which in the absence of certificate chain problems has almost, but not quite, the same effect.

Note that since openssl s_client is a general-purpose debugging tool, the TCP port number must be specified. For HTTPS web sites, the typical port number is 443. If you are connecting by IP address, you can use -servername something.example.com to set the SNI server name in the TLS session.

Given the certificate data in PEM format from the above command, openssl x509 can be used to display information about the certificate:

openssl x509 -in filename.pem -noout -text -sha256 -fingerprint

where filename.pem contains the output from the previous command. If -in is not specified, then certificate data is read from standard input.

Useful variations are -text to print lots of technical details from the certificate, and -sha256 -fingerprint to print the SHA-256 fingerprint. Including both will cause both to be printed. If for some reason you need the insecure MD5 fingerprint, use -md5 instead of -sha256. Fingerprints are printed in colon-separated hexadecimal notation.

Putting all of this together, we get the following somewhat long command:

true | openssl s_client -connect www.example.com:443 -showcerts -no_ign_eof -certform PEM 2>/dev/null | openssl x509 -noout -sha256 -fingerprint

If you want to introduce something like torsocks to this, it should generally go with the openssl s_client command, as that is the part that is actually making the outbound network connection:

true | torsocks openssl s_client -connect www.example.com:443 -showcerts -no_ign_eof -certform PEM 2>/dev/null | openssl x509 -noout -sha256 -fingerprint

Both of these will, if successful, print the SHA-256 fingerprint of the TLS certificate received from the server. Currently, this results in this single line of output:

sha256 Fingerprint=5E:F2:F2:14:26:0A:B8:F5:8E:55:EE:A4:2E:4A:C0:4B:0F:17:18:07:D8:D1:18:5F:DD:D6:74:70:E9:AB:60:96

And there it is!