Displaying a remote SSL certificate details using CLI tools

Question

In Chrome, clicking on the green HTTPS lock icon opens a window with the certificate details:

enter image description here

When I tried the same with cURL, I got only some of the information:

$ curl -vvI https://gnupg.org
* Rebuilt URL to: https://gnupg.org/
* Hostname was NOT found in DNS cache
*   Trying 217.69.76.60...
* Connected to gnupg.org (217.69.76.60) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: gnupg.org
* Server certificate: Gandi Standard SSL CA
* Server certificate: UTN-USERFirst-Hardware
> HEAD / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: gnupg.org
> Accept: */*

Any idea how to get the full certificate information form a command line tool (cURL or other)?

See also http://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server — Vadzim, Feb 08 '17 at 16:18
Probably depends on the version too. My current `curl` with flag `--verbose` shows the full server certificate content. — Patrick Mevzek, May 16 '18 at 20:02

score 486 · Accepted Answer · edited Jan 26 '16 at 15:45

486

You should be able to use OpenSSL for your purpose:

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

That command connects to the desired website and pipes the certificate in PEM format on to another openssl command that reads and parses the details.

(Note that "redundant" -servername parameter is necessary to make openssl do a request with SNI support.)

edited Jan 26 '16 at 15:45

Greg Dubicki

1,191
1
14
30

answered Jan 23 '15 at 22:26

Pedro Perez

5,652
1
10
11

There seems to be an error with this command: `OpenSSL> openssl:Error: 'CONNECTED(00000003)' is an invalid command.` – Adam Matan Jan 23 '15 at 22:34
Hi Adam, it works on my Ubuntu and it should work on any Linux. By the looks of the error you posted I would say you might have mistyped the host or the port? gnupg.org:443 works for me, too. What do you get if you just run: echo | openssl s_client -showcerts -connect gnupg.org:443 2>/dev/null – Pedro Perez Jan 23 '15 at 22:37
2

@AdamMatan Did you include the full command after the second pipe? The error message looks like the second openssl invocation ended up running in interactive mode (ie `openssl` vs `openssl x509 -inform pem -noout -text`). What Pedro wrote works fine for me. – Håkan Lindqvist Jan 23 '15 at 22:45
@HåkanLindqvist Perfect, I probably just missed the suffix. – Adam Matan Jan 24 '15 at 00:07
6

Note that while s_client will print the whole chain, the last piped command will only print information about the first certificate. – chutz Jan 26 '16 at 17:06
Took this and put it in a simple bash script so you can query multiple domains without having to edit the command line all the time. https://github.com/Valien/Bash-alicious/blob/master/ssl-query.sh – Valien Jul 25 '16 at 14:44
how to adapt it to print the details of the entire cert chain? – Tilo Jan 26 '17 at 19:25
Made this into a script: https://github.com/Noah-Huppert/scripts/blob/master/sslinfo – Noah Huppert Oct 22 '17 at 00:36
What is the `echo |` bit for? Is there a part of the command that expects user input? – mwfearnley Jan 03 '18 at 16:16
The openssl command establishes a connection against the destination host. The `echo |` part sends empty data (not sure exactly what :P) that prompts a response from the server instead of just waiting for timeout. If you try without it you'll still get the desired results, but would get hung for a few seconds until the connection times out. – Pedro Perez Jan 03 '18 at 16:20
1

`echo` by itself is equivalent to `echo ''` .. it sends an empty string to stdout. `cat /dev/null |` would work also and is a bit more self-explanatory. – hemp Jan 06 '18 at 01:06
6

If you would like to just know the **expiry date**, you can replace `-text` with `-enddate`, check for other options ([`openssl x509 help`](https://wiki.openssl.org/index.php/Command_Line_Utilities#Certificates_AKA_x509)). – adriaan Jul 11 '18 at 10:12
2

(fixed) @hemp: `echo` by itself outputs one newline character, then exits which causes the pipe to return EOF to openssl, which is actually what causes openssl to complete. _Redirecting_ with ` – dave_thompson_085 Sep 19 '18 at 20:32
I had a weird situation where i was using this script to request as shown `-servername smth.mydomain.com` but was receiving certificate for a different domain (hosted on the same server). First i thought that SSL was misconfigured on the server, but Chrome and Firefox correctly were seeing cert for `smth.mydomain.com` so my conclusion was that - this command doesn't really show the full picture, or there's more to SNI and servername than just specifying it there... (the curl solution from @AntonioFeitosa also shows that different domain). Seems like it shows whatever set as 'default cert'.. – Dimitry K Dec 17 '19 at 10:56
Continue: ok, i found the culprit. When looking at the shell command above, I decided that the last part of the pipe "decoding certs" wasn't necessary :O and thus in my output I only saw single CN name `default.mydomain.com` ("default domain on the cert"). However in my case domain had multiple "Alternative names" like `smth.mydomain.com`, `blog.mydomain.com`). Those names are only visible when you decode cert. I could also see them using `keytool` method described below by @dave_thompson_085 . Hope this helps someone. – Dimitry K Dec 17 '19 at 11:14
1

This answer worked great on my Mac for giving me details of a local certificate that I had for an app that I was trying to learn more about. I found the details of the certificate by using command `cat my-cert-file.pem | openssl x509 -inform pem -noout -text`. – entpnerd May 05 '21 at 23:51
1

@entpnerd: openssl can read the file by itself using the `-in` argument, and `-inform pem` is default. This is what I use: `function cert () { openssl x509 -text -noout -in "$1" | less -F }`. Use like `$ cert somefile.pem` ($1 will be substituted for the filename). With an almost identical function `csr`, replacing sub-command `x509` with `req`, you can view certificate signing requests. – MSpreij Mar 22 '22 at 12:42

score 144 · Answer 2 · 2022-01-19T14:27:38.223

Basic certificate info

That's my everyday script:

curl --insecure -vvI https://www.example.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

Output:

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Los Angeles; O=Verizon Digital Media Services, Inc.; CN=www.example.org
*  start date: Dec 10 00:00:00 2021 GMT
*  expire date: Dec  9 23:59:59 2022 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5588e1f5ae30)
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* Connection #0 to host www.example.com left intact

Full certificate info

openssl s_client -connect www.example.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text

Doesn't work for me, doesn't include the start/expire dates. — Per Lundberg, Jun 01 '17 at 06:34
Since some recent change in curl (somewhere between 49 and 52) this doesn't display anything at all about the certificate. :( — Ross Presser, Jun 26 '17 at 14:14
This also doesn't show Alternative Names which are on that cert. — Dimitry K, Dec 17 '19 at 11:10

score 75 · Answer 3 · answered Nov 01 '17 at 20:37

nmap -p 443 --script ssl-cert gnupg.org

The -p 443 specifies to scan port 443 only. All ports will be scanned if it is omitted, and the certificate details for any SSL service that is found will be displayed. The --script ssl-cert tells the Nmap scripting engine to run only the ssl-cert script. From the doc, this script "(r)etrieves a server's SSL certificate. The amount of information printed about the certificate depends on the verbosity level."

Sample output:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-01 13:35 PDT
Nmap scan report for gnupg.org (217.69.76.60)
Host is up (0.16s latency).
Other addresses for gnupg.org (not scanned): (null)
rDNS record for 217.69.76.60: www.gnupg.org
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=gnupg.org
| Subject Alternative Name: DNS:gnupg.org, DNS:www.gnupg.org
| Issuer: commonName=Gandi Standard SSL CA 2/organizationName=Gandi/stateOrProvinceName=Paris/countryName=FR
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2015-12-21T00:00:00
| Not valid after:  2018-03-19T23:59:59
| MD5:   c3a7 e0ed 388f 87cb ec7f fd3e 71f2 1c3e
|_SHA-1: 5196 ecf5 7aed 139f a511 735b bfb5 7534 df63 41ba

Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds

If you need to see the cert's fingerprints then this command is far better than the `curl -v` suggestions in other answers. — Bart B, Feb 12 '20 at 12:27
This is the only one in this thread showing the subject alternative names for the certificate. — Ozymandias, Nov 04 '20 at 20:16
Of all the other solutions (why is this basic operation so hard?), this is the least cumbersome. It's likely the one Trinity will prefer, too. — Mike Andrews, Dec 09 '20 at 14:16
Honestly the most elegant and simplest of the answers here. Going to add this to my snippets. Thanks. — Justin Fortier, Dec 13 '21 at 19:37
It's short, but doesn't work for my website while the solution with `openssl` works correctly. — DDMC, Aug 08 '22 at 16:12

score 38 · Answer 4 · answered Jan 23 '15 at 22:20

38

Depends on what kind of information you want, but:

openssl s_client -showcerts -connect gnupg.org:443

should give you most, although not as nicely human readable like Chrome presents it.

answered Jan 23 '15 at 22:20

faker

17,326
2
60
69

2

Unfortunately, very little of the certificate data is presented in human-readable format by that command. – Håkan Lindqvist Jan 23 '15 at 22:38
12

I disagree with previous comment, this command tells me what I need to know and is very useful. +1 for answer. – camdixon May 12 '17 at 18:47
If you specifically want to test for TLS 1.2 you can add -tls1_2 – camdixon May 12 '17 at 18:53
@Trismegistos I don't believe that is a thing. You can certainly pipe the certificate in the output here into `openssl x509` (which does have a `-text` option where it prints a human readable representation), like in https://serverfault.com/a/661982/183318 But if you want to improve this answer, you really shouldn't address me as I did not write it. – Håkan Lindqvist Feb 01 '21 at 13:16

score 28 · Answer 5 · answered Sep 19 '18 at 20:27

28

For completeness: if you have installed on your system Java 7 or higher

 keytool -printcert -sslserver $host[:$port]

shows the chain (as served) with nearly all details in a mostly rather ugly format.

Whether you should have Java installed on your system I do not answer.

answered Sep 19 '18 at 20:27

dave_thompson_085

3,100
1
15
14

1

brilliant, much more useful default output than openssl (which needs decoding). – simon May 13 '19 at 19:50
This seems to be the easiest way to check all domains supported by ssl-cert `keytool -printcert -sslserver smth.yourdomain.com | grep -E 'Owner|DNSName' this will show "default domain name" of the cert AND ALTERNATIVE DOMAIN NAMES of the cert – Dimitry K Dec 17 '19 at 11:06

score 9 · Answer 6 · answered Dec 14 '16 at 16:06

If you want to do this in Windows you can use PowerShell with the following function:

function Retrieve-ServerCertFromSocket ($hostname, $port=443, $SNIHeader, [switch]$FailWithoutTrust)
{
    if (!$SNIHeader) {
        $SNIHeader = $hostname
    }

    $cert = $null
    try {
        $tcpclient = new-object System.Net.Sockets.tcpclient
        $tcpclient.Connect($hostname,$port)

        #Authenticate with SSL
        if (!$FailWithoutTrust) {
            $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false, {$true}
        } else {
            $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false
        }

        $sslstream.AuthenticateAsClient($SNIHeader)
        $cert =  [System.Security.Cryptography.X509Certificates.X509Certificate2]($sslstream.remotecertificate)

     } catch {
        throw "Failed to retrieve remote certificate from $hostname`:$port because $_"
     } finally {
        #cleanup
        if ($sslStream) {$sslstream.close()}
        if ($tcpclient) {$tcpclient.close()}        
     }    
    return $cert
}

This allows you to do some neat things like

#Save to file and open 
Retrieve-ServerCertFromSocket www.wrish.com 443 | Export-Certificate -FilePath C:\temp\test.cer ; start c:\temp\test.cer

#Display the cert details
Retrieve-ServerCertFromSocket www.wrish.com 443 | fl subject,*not*,Thumb*,ser*

score 9 · Answer 7 · answered Apr 06 '18 at 02:17

If you only want the expiry date (which isn't exactly the answer but is 9/10 what people use the Chrome cert details for), you can use:

echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -enddate

Useful for scripts etc.

c4urself@eos ~ → which ssl_expiry
ssl_expiry () {
  echo | openssl s_client -connect ${1}:443 2> /dev/null | openssl x509 -noout -enddate
}
c4urself@eos ~ → ssl_expiry google.com
notAfter=Jun 12 16:54:00 2018 GMT

Florian Heigl · Answer 8 · 2015-01-24T01:41:15.723

To check for SSL certificate details, I use the following command line tool ever since it's become available:

https://github.com/azet/tls_tools

It's great to double-check you have all info correct for re-issuing certs or validating existing ones, and also as few dependencies AND it requires no setup.

This is what the first few lines of the output look like:

$ ./check_certificate_chain.py gnupg.org 443

>> Certificate Chain:

 [+]*       OU=Domain Control Validated, OU=Gandi Standard SSL, CN=gnupg.org
 [+]**      C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
 [+]***     C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware

>> Certificate Information:

................................................................................
- [Subject]:        OU=Domain Control Validated, OU=Gandi Standard SSL, CN=gnupg.org
- [Issuer]:     C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
- [Valid from]:     Mar 18 00:00:00 2014 GMT
- [Valid until]:    Mar 18 23:59:59 2016 GMT
- [Authority]:      Is not a CA
- [Version]:        2
- [Serial No.]:     43845251655098616578492338727643475746
- [X.509 Extension Details]:
  -- [x509_authorityKeyIdentifier]:
       keyid:B6:A8:FF:A2:A8:2F:D0:A6:CD:4B:B1:68:F3:E7:50:10:31:A7:79:21

That output is followed by the whole certificate chain at the same level of detail.

What I like that instead of being a ssl-centric cli tool like openssl's s_client, this one tries to just do the one job we need most of the time. Of course openssl is more flexible (i.e. also checking clientcerts, imaps on odd ports, etc) - but I don't always need that.

Alternatively, if you have time to dig in & setup or appreciate more features, there's the bigger tool named sslyze (not using it since dependencies and install...)

score 4 · Answer 9 · edited Jan 13 '20 at 10:11

I use a shell script for this. It's just a wrapper around the openssl command that saves me from remembering the syntax.

It provides options for parsing out most of the certificate information I'm typically interested in, or display raw openssl output.

Can either query a local certificate file, or a remote server.

Usage:

$ ssl-cert-info --help
Usage: ssl-cert-info [options]

This shell script is a simple wrapper around the openssl binary. It uses
s_client to get certificate information from remote hosts, or x509 for local
certificate files. It can parse out some of the openssl output or just dump all
of it as text.

Options:

  --all-info   Print all output, including boring things like Modulus and 
               Exponent.

  --alt        Print Subject Alternative Names. These will be typically be 
               additional hostnames that the certificate is valid for.

  --cn         Print commonName from Subject. This is typically the host for 
               which the certificate was issued.

  --debug      Print additional info that might be helpful when debugging this
               script.

  --end        Print certificate expiration date. For additional functionality
               related to certificate expiration, take a look at this script:
               "http://prefetch.net/code/ssl-cert-check".

  --dates      Print start and end dates of when the certificate is valid.

  --file       Use a local certificate file for input.

  --help       Print this help message.

  --host       Fetch the certificate from this remote host.

  --issuer     Print the certificate issuer.

  --most-info  Print almost everything. Skip boring things like Modulus and
               Exponent.

  --option     Pass any openssl option through to openssl to get its raw
               output.

  --port       Use this port when conneting to remote host. If ommitted, port
               defaults to 443.

  --subject    Print the certificate Subject -- typically address and org name.

Examples:

  1. Print a list of all hostnames that the certificate used by amazon.com 
     is valid for.

     ssl-cert-info --host amazon.com --alt
     DNS:uedata.amazon.com
     DNS:amazon.com
     DNS:amzn.com
     DNS:www.amzn.com
     DNS:www.amazon.com

  2. Print issuer of certificate used by smtp.gmail.com. Fetch certficate info
     over port 465.

     ssl-cert-info --host smtp.gmail.com --port 465 --issuer
     issuer= 
         countryName               = US
         organizationName          = Google Inc
         commonName                = Google Internet Authority G2

  3. Print valid dates for the certificate, using a local file as the source of 
     certificate data. Dates are formatted using the date command and display
     time in your local timezone instead of GMT.

     ssl-cert-info --file /path/to/file.crt --dates
     valid from: 2014-02-04 16:00:00 PST
     valid till: 2017-02-04 15:59:59 PST


  4. Print certificate serial number. This script doesn't have a special option
     to parse out the serial number, so will use the generic --option flag to
     pass '-serial' through to openssl.

     ssl-cert-info --host gmail.com --option -serial
     serial=4BF004B4DDC9C2F8

You can get the script here: https://web.archive.org/web/20190528035412/http://giantdorks.org/alain/shell-script-to-check-ssl-certificate-info-like-expiration-date-and-subject/

score 3 · Answer 10 · answered Jul 27 '17 at 15:58

3

nmap -sV -sC google.com -p 443

answered Jul 27 '17 at 15:58

Sergio Rua

51
1

6

This needs a lot more explanation. – Sven Jul 27 '17 at 16:19
agree with need for explanation, but it does work for me, so +1 – Jeff Oct 19 '17 at 15:37

score 2 · Answer 11 · answered Aug 05 '20 at 12:55

2

You can also try the gnutls-cli tool from https://www.gnutls.org/:

echo | gnutls-cli serverfault.com

The echo | is there to make gnutls-cli exit quickly, instead of waiting for input from stdin.

If you need the raw certificate data (in PEM format), add --print-cert.

answered Aug 05 '20 at 12:55

jpbochi

153
8

Thanks a lot ! simplest answer so far! – YCN- Sep 14 '21 at 08:55

score 0 · Answer 12 · answered Mar 31 '22 at 07:11

I came across this question and noticed I had answered something similar here: https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server/68277430#68277430

I also had the same challenge and next to that I discovered that openssl doesn't return the root ca. I have built an alternative for specifically for this purpose which might be useful for other developers, see here: GitHub - Certificate ripper

Command

crip print -u=https://gnupg.org

Output

Certificates for url = https://gnupg.org

[
[
  Version: V3
  Subject: CN=gnupg.org
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 31584528901574007750301020287561448010695338445786656836820202222425310660293397103661612041262534815824710633384445406661552999674139683313292182907220124973641103147823211675629863952189464092250334775320079482164648964670152919444386631405421166704969790376810530092741753755204051610269112728244627288812180893123949732920362020211922819834221347165888182335229776214076417362141617456849548559339712503046241890787857054712025639768795686815610181667002438461217925898165006378013013126800098621764184263923324590864316888475244387674964001095520567493168508649309644487636171722874605322088933794460410194036701
  public exponent: 65537
  Validity: [From: Sat Mar 05 01:55:18 CET 2022,
               To: Fri Jun 03 02:55:17 CEST 2022]
  Issuer: CN=R3, O=Let's Encrypt, C=US
  SerialNumber: [    04b186e2 062aebcc b4c9ae1b 10c1777c c520]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 81 F5 04 81 F2 00 F0   00 76 00 DF A5 5E AB 68  .........v...^.h
0010: 82 4F 1F 6C AD EE B8 5F   4E 3E 5A EA CD A2 12 A4  .O.l..._N>Z.....
0020: 6A 5E 8E 3B 12 C0 20 44   5C 2A 73 00 00 01 7F 57  j^.;.. D\*s....W
0030: C9 D0 37 00 00 04 03 00   47 30 45 02 21 00 92 05  ..7.....G0E.!...
0040: 73 F3 19 12 C5 C3 0B 97   95 B3 C4 3B 65 46 C5 6C  s..........;eF.l
0050: 60 C4 61 52 77 0D 8C D7   CD 96 DE 82 87 B9 02 20  `.aRw..........
0060: 64 48 71 14 C4 11 95 3C   68 13 91 46 4F 72 77 01  dHq....<h..FOrw.
0070: FB 7F C8 8B 59 96 BD 2C   4B EA 51 61 8C 29 34 6A  ....Y..,K.Qa.)4j
0080: 00 76 00 29 79 BE F0 9E   39 39 21 F0 56 73 9F 63  .v.)y...99!.Vs.c
0090: A5 77 E5 BE 57 7D 9C 60   0A F8 F9 4D 5D 26 5C 25  .w..W..`...M]&\%
00A0: 5D C7 84 00 00 01 7F 57   C9 D0 27 00 00 04 03 00  ]......W..'.....
00B0: 47 30 45 02 21 00 BD 4F   C9 94 6A 0C 57 0F DF D8  G0E.!..O..j.W...
00C0: 10 8A 0C 09 35 31 30 AF   CE B6 8E B8 00 BC 4F 46  ....510.......OF
00D0: 56 91 C1 83 AF 20 02 20   3C 61 37 B3 09 AF EF 40  V.... . <a7....@
00E0: 22 F7 43 1F 46 07 EE AA   FC 3D A4 0E 3A 60 A5 E1  ".C.F....=..:`..
00F0: 95 E3 0B B3 30 0D 7E 78                            ....0..x


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://r3.o.lencr.org
,
   accessMethod: caIssuers
   accessLocation: URIName: http://r3.i.lencr.org/
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 14 2E B3 17 B7 58 56 CB   AE 50 09 40 E6 1F AF 9D  .....XV..P.@....
0010: 8B 14 C2 C6                                        ....
]
]

[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1A 68 74 74 70 3A 2F   2F 63 70 73 2E 6C 65 74  ..http://cps.let
0010: 73 65 6E 63 72 79 70 74   2E 6F 72 67              sencrypt.org

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: gnupg.org
  DNSName: www.gnupg.org
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 02 99 E2 B9 65 0A 77 F2   E5 9A 73 CE 9C 55 AF 7F  ....e.w...s..U..
0010: 5B AE BE 65                                        [..e
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 31 75 50 29 45 66 2B FA   52 F4 85 C3 E7 62 5F 09  1uP)Ef+.R....b_.
0010: 8C A9 18 3C 8E 4F 5A 4A   B2 B8 65 05 E0 2D 62 51  ...<.OZJ..e..-bQ
0020: 15 91 A2 78 A3 2A B6 B8   1F FD C8 D7 75 D2 98 E1  ...x.*......u...
0030: 2E 87 43 24 0C 38 60 E8   73 76 6C E4 7F 6C 3A DF  ..C$.8`.svl..l:.
0040: 56 5D AB DB B8 7F F7 F3   6C 43 AA CA A3 97 BF 32  V]......lC.....2
0050: D1 8C 20 D1 85 EB 43 DA   82 A9 08 DA 6C 2C CB CC  .. ...C.....l,..
0060: 75 8C D6 E8 A1 EA DF 82   E9 0C 33 B7 C9 0E 59 14  u.........3...Y.
0070: 9F 6D 4E 7E 6F BF 6B A9   F6 4C 82 19 48 9A 6F 8B  .mN.o.k..L..H.o.
0080: BE E7 F7 80 6F F6 15 AD   56 11 1C F1 7E C1 F4 CF  ....o...V.......
0090: C4 B7 5F C7 9F C0 0E 5A   47 46 AB FE 39 F3 7C 37  .._....ZGF..9..7
00A0: 2D 90 DE B5 5F F9 DE 51   E4 29 6F CA 6E C6 7A 21  -..._..Q.)o.n.z!
00B0: 00 3F 66 D0 24 06 77 73   5C 47 AD 4F D9 87 C7 FF  .?f.$.ws\G.O....
00C0: 93 0C 1B 27 A8 6D 53 DF   AC EF A3 54 C7 84 46 8F  ...'.mS....T..F.
00D0: EF BD 80 71 FD A4 6F 6B   06 37 9C 0A 96 14 16 04  ...q..ok.7......
00E0: F2 66 B5 80 D0 53 2C 73   3B 36 EE DC DE 59 37 52  .f...S,s;6...Y7R
00F0: 37 DA E6 A9 BA 83 A3 1D   EF B7 DC 1E 00 91 15 B3  7...............

]

========== NEXT CERTIFICATE FOR https://gnupg.org ==========

[
[
  Version: V3
  Subject: CN=R3, O=Let's Encrypt, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 23607590023527405233483514815960094733025362836439268915823566209453533788829410729612693188664033965601284889382200672291623712219351579442466292134025779170871903029675641332227720513370499414392174777629378433333281492782006644003508406669842374574620445942041275265465205367002253387972103578862358103547035353751037986892891938939537013712276962031758303128178118156019997818459064793797705051611931042977322694991611263911077235433119719504206173897534215486225391156231168313218127765624386188467360149426877213161912342004781300247624712380387337803861727744706241919394251136381590874774264144198228326996757
  public exponent: 65537
  Validity: [From: Fri Sep 04 02:00:00 CEST 2020,
               To: Mon Sep 15 18:00:00 CEST 2025]
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  SerialNumber: [    912b084a cf0c18a7 53f6d62e 25a75f5a]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://x1.i.lencr.org/
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4   01 73 80 08 88 C8 1A 58  y.Y......s.....X
0010: F6 E9 9B 6E                                        ...n
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://x1.c.lencr.org/]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
  serverAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 14 2E B3 17 B7 58 56 CB   AE 50 09 40 E6 1F AF 9D  .....XV..P.@....
0010: 8B 14 C2 C6                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 85 CA 4E 47 3E A3 F7 85   44 85 BC D5 67 78 B2 98  ..NG>...D...gx..
0010: 63 AD 75 4D 1E 96 3D 33   65 72 54 2D 81 A0 EA C3  c.uM..=3erT-....
0020: ED F8 20 BF 5F CC B7 70   00 B7 6E 3B F6 5E 94 DE  .. ._..p..n;.^..
0030: E4 20 9F A6 EF 8B B2 03   E7 A2 B5 16 3C 91 CE B4  . ..........<...
0040: ED 39 02 E7 7C 25 8A 47   E6 65 6E 3F 46 F4 D9 F0  .9...%.G.en?F...
0050: CE 94 2B EE 54 CE 12 BC   8C 27 4B B8 C1 98 2F A2  ..+.T....'K.../.
0060: AF CD 71 91 4A 08 B7 C8   B8 23 7B 04 2D 08 F9 08  ..q.J....#..-...
0070: 57 3E 83 D9 04 33 0A 47   21 78 09 82 27 C3 2A C8  W>...3.G!x..'.*.
0080: 9B B9 CE 5C F2 64 C8 C0   BE 79 C0 4F 8E 6D 44 0C  ...\.d...y.O.mD.
0090: 5E 92 BB 2E F7 8B 10 E1   E8 1D 44 29 DB 59 20 ED  ^.........D).Y .
00A0: 63 B9 21 F8 12 26 94 93   57 A0 1D 65 04 C1 0A 22  c.!..&..W..e..."
00B0: AE 10 0D 43 97 A1 18 1F   7E E0 E0 86 37 B5 5A B1  ...C........7.Z.
00C0: BD 30 BF 87 6E 2B 2A FF   21 4E 1B 05 C3 F5 18 97  .0..n+*.!N......
00D0: F0 5E AC C3 A5 B8 6A F0   2E BC 3B 33 B9 EE 4B DE  .^....j...;3..K.
00E0: CC FC E4 AF 84 0B 86 3F   C0 55 43 36 F6 68 E1 36  .......?.UC6.h.6
00F0: 17 6A 8E 99 D1 FF A5 40   A7 34 B7 C0 D0 63 39 35  .j.....@.4...c95
0100: 39 75 6E F2 BA 76 C8 93   02 E9 A9 4B 6C 17 CE 0C  9un..v.....Kl...
0110: 02 D9 BD 81 FB 9F B7 68   D4 06 65 B3 82 3D 77 53  .......h..e..=wS
0120: F8 8E 79 03 AD 0A 31 07   75 2A 43 D8 55 97 72 C4  ..y...1.u*C.U.r.
0130: 29 0E F7 C4 5D 4E C8 AE   46 84 30 D7 F2 85 5F 18  )...]N..F.0..._.
0140: A1 79 BB E7 5E 70 8B 07   E1 86 93 C3 B9 8F DC 61  .y..^p.........a
0150: 71 25 2A AF DF ED 25 50   52 68 8B 92 DC E5 D6 B5  q%*...%PRh......
0160: E3 DA 7D D0 87 6C 84 21   31 AE 82 F5 FB B9 AB C8  .....l.!1.......
0170: 89 17 3D E1 4C E5 38 0E   F6 BD 2B BD 96 81 14 EB  ..=.L.8...+.....
0180: D5 DB 3D 20 A7 7E 59 D3   E2 F8 58 F9 5B B8 48 CD  ..= ..Y...X.[.H.
0190: FE 5C 4F 16 29 FE 1E 55   23 AF C8 11 B0 8D EA 7C  .\O.)..U#.......
01A0: 93 90 17 2F FD AC A2 09   47 46 3F F0 E9 B0 B7 FF  .../....GF?.....
01B0: 28 4D 68 32 D6 67 5E 1E   69 A3 93 B8 F5 9D 8B 2F  (Mh2.g^.i....../
01C0: 0B D2 52 43 A6 6F 32 57   65 4D 32 81 DF 38 53 85  ..RC.o2WeM2..8S.
01D0: 5D 7E 5D 66 29 EA B8 DD   E4 95 B5 CD B5 56 12 42  ].]f)........V.B
01E0: CD C4 4E C6 25 38 44 50   6D EC CE 00 55 18 FE E9  ..N.%8DPm...U...
01F0: 49 64 D4 4E CA 97 9C B4   5B C0 73 A8 AB B8 47 C2  Id.N....[.s...G.

]

========== NEXT CERTIFICATE FOR https://gnupg.org ==========

[
[
  Version: V3
  Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  params: null
  modulus: 709477870415445373015359016562426660610553770685944520893298396600226760899977879191004898543350831842119174188613678136510262472550532722234131754439181090009824131001234702144200501816519311599904090606194984753842587622398776018408050245574116028550608708896478977104703101364577377554823893350339376892984086676842821506637376561471221178677513035811884589888230947855482554780924844280661412982827405878164907670403886160896655313460186264922042760067692235383478494519985672059698752915965998412445946254227413232257276525240006651483130792248112417425846451951438781260632137645358927568158361961710185115502577127010922344394993078948994750404287047493247048147066090211292167313905862438457453781042040498702821432013765502024105065778257759178356925494156447570322373310256999609083201778278588599854706241788119448943034477370959349516873162063461521707809689839710972753590949570167489887658749686740890549110678989462474318310617765270337415238713770800711236563610171101328052424145478220993016515262478543813796899677215192789612682845145008993144513547444131126029557147570005369943143213525671105288817016183804256755470528641042403865830064493168693765438364296560479053823886598989258655438933191724193029337334607
  public exponent: 65537
  Validity: [From: Wed Jan 20 20:14:03 CET 2021,
               To: Mon Sep 30 20:14:03 CEST 2024]
  Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
  SerialNumber: [    40017721 37d4e942 b8ee76aa 3c640ab7]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA   DB E1 4B 90 75 FF C4 15  .....,q...K.u...
0010: 60 85 89 10                                        `...
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 22 68 74 74 70 3A 2F   2F 63 70 73 2E 72 6F 6F  ."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74   73 65 6E 63 72 79 70 74  t-x1.letsencrypt
0020: 2E 6F 72 67                                        .org

]]  ]
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4   01 73 80 08 88 C8 1A 58  y.Y......s.....X
0010: F6 E9 9B 6E                                        ...n
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 0A 73 00 6C 96 6E FF 0E   52 D0 AE DD 8C E7 5A 06  .s.l.n..R.....Z.
0010: AD 2F A8 E3 8F BF C9 0A   03 15 50 C2 E5 6C 42 BB  ./........P..lB.
0020: 6F 9B F4 B4 4F C2 44 88   08 75 CC EB 07 9B 14 62  o...O.D..u.....b
0030: 6E 78 DE EC 27 BA 39 5C   F5 A2 A1 6E 56 94 70 10  nx..'.9\...nV.p.
0040: 53 B1 BB E4 AF D0 A2 C3   2B 01 D4 96 F4 C5 20 35  S.......+..... 5
0050: 33 F9 D8 61 36 E0 71 8D   B4 B8 B5 AA 82 45 95 C0  3..a6.q......E..
0060: F2 A9 23 28 E7 D6 A1 CB   67 08 DA A0 43 2C AA 1B  ..#(....g...C,..
0070: 93 1F C9 DE F5 AB 69 5D   13 F5 5B 86 58 22 CA 4D  ......i]..[.X".M
0080: 55 E4 70 67 6D C2 57 C5   46 39 41 CF 8A 58 83 58  U.pgm.W.F9A..X.X
0090: 6D 99 FE 57 E8 36 0E F0   0E 23 AA FD 88 97 D0 E3  m..W.6...#......
00A0: 5C 0E 94 49 B5 B5 17 35   D2 2E BF 4E 85 EF 18 E0  \..I...5...N....
00B0: 85 92 EB 06 3B 6C 29 23   09 60 DC 45 02 4C 12 18  ....;l)#.`.E.L..
00C0: 3B E9 FB 0E DE DC 44 F8   58 98 AE EA BD 45 45 A1  ;.....D.X....EE.
00D0: 88 5D 66 CA FE 10 E9 6F   82 C8 11 42 0D FB E9 EC  .]f....o...B....
00E0: E3 86 00 DE 9D 10 E3 38   FA A4 7D B1 D8 E8 49 82  .......8......I.
00F0: 84 06 9B 2B E8 6B 4F 01   0C 38 77 2E F9 DD E7 39  ...+.kO..8w....9

]

========== NEXT CERTIFICATE FOR https://gnupg.org ==========

[
[
  Version: V3
  Subject: CN=DST Root CA X3, O=Digital Signature Trust Co.
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 28237887677026032203151777657129561581522073060401233851894187952595640780665579499663841407267510759260214748789212535957135845654219821366017427323985352100172211628961551647178765278465245040619994286316630852210928184346090961906367138096715766033171261107313432772299467819936678634109708967378829013418649505942485529500580167736159568208924601034682852941882633722952597854385181938557682865139545636282689862459897027632511916072421459210380987954549724536623494064393973052186448977570989493998685404014473715688796607543139914669307234440905936555495044671225489918726010863829142065064843131427399159251549
  public exponent: 65537
  Validity: [From: Sat Sep 30 23:12:19 CEST 2000,
               To: Thu Sep 30 16:01:15 CEST 2021]
  Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
  SerialNumber: [    44afb080 d6a327ba 89303986 2ef8406b]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA   DB E1 4B 90 75 FF C4 15  .....,q...K.u...
0010: 60 85 89 10                                        `...
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: A3 1A 2C 9B 17 00 5C A9   1E EE 28 66 37 3A BF 83  ..,...\...(f7:..
0010: C7 3F 4B C3 09 A0 95 20   5D E3 D9 59 44 D2 3E 0D  .?K.... ]..YD.>.
0020: 3E BD 8A 4B A0 74 1F CE   10 82 9C 74 1A 1D 7E 98  >..K.t.....t....
0030: 1A DD CB 13 4B B3 20 44   E4 91 E9 CC FC 7D A5 DB  ....K. D........
0040: 6A E5 FE E6 FD E0 4E DD   B7 00 3A B5 70 49 AF F2  j.....N...:.pI..
0050: E5 EB 02 F1 D1 02 8B 19   CB 94 3A 5E 48 C4 18 1E  ..........:^H...
0060: 58 19 5F 1E 02 5A F0 0C   F1 B1 AD A9 DC 59 86 8B  X._..Z.......Y..
0070: 6E E9 91 F5 86 CA FA B9   66 33 AA 59 5B CE E2 A7  n.......f3.Y[...
0080: 16 73 47 CB 2B CC 99 B0   37 48 CF E3 56 4B F5 CF  .sG.+...7H..VK..
0090: 0F 0C 72 32 87 C6 F0 44   BB 53 72 6D 43 F5 26 48  ..r2...D.SrmC.&H
00A0: 9A 52 67 B7 58 AB FE 67   76 71 78 DB 0D A2 56 14  .Rg.X..gvqx...V.
00B0: 13 39 24 31 85 A2 A8 02   5A 30 47 E1 DD 50 07 BC  .9$1....Z0G..P..
00C0: 02 09 90 00 EB 64 63 60   9B 16 BC 88 C9 12 E6 D2  .....dc`........
00D0: 7D 91 8B F9 3D 32 8D 65   B4 E9 7C B1 57 76 EA C5  ....=2.e....Wv..
00E0: B6 28 39 BF 15 65 1C C8   F6 77 96 6A 0A 8D 77 0B  .(9..e...w.j..w.
00F0: D8 91 0B 04 8E 07 DB 29   B6 0A EE 9D 82 35 35 10  .......).....55.

]

score 0 · Answer 13 · answered May 09 '22 at 10:02

0

I'm using some weird script to do this:

date --date="$(curl --insecure -vvI https://v1.d13.ovh 2>&1 | grep "expire date" | awk '{print $4,$5,$6,$7,$8,$9}')" +%s

answered May 09 '22 at 10:02

Dmitriy

1

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 20 '22 at 09:21

score 0 · Answer 14 · answered Jul 05 '22 at 11:34

In addition to @jpbochi answer:

$ gnutls-cli --print-cert serverfault.com < /dev/null | openssl x509  -inform pem -noout -text -dates

Output

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:67:98:53:7f:1f:64:c2:2c:8f:57:d8:17:96:01:e8:6d:30
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: May  8 13:13:04 2022 GMT
            Not After : Aug  6 13:13:03 2022 GMT
        Subject: CN = *.stackexchange.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:46:73:ad:d6:1d:be:56:a0:aa:bf:1d:a6:e0:
                    62:ed:45:b4:d1:81:d2:aa:53:1d:de:db:48:6c:bc:
                    7b:37:53:3d:d2:9a:ae:50:a8:78:ae:c2:c1:c0:70:
                    c1:c7:de:55:91:6d:d0:22:07:71:73:61:d9:a7:9c:
                    f9:c6:6b:40:42:ce:b6:69:05:18:32:b1:34:61:40:
                    69:3b:88:5b:aa:33:da:8f:0f:ad:eb:c2:9f:02:92:
                    cf:76:2e:39:8f:b9:66:a6:12:9f:34:a4:e9:13:fc:
                    3f:e0:53:89:e1:43:32:24:62:54:af:6e:44:57:4b:
                    a5:6d:74:a5:ef:98:e0:42:66:13:f8:64:2b:2c:3c:
                    0c:54:d5:18:d8:51:60:73:db:59:9d:c5:05:b0:8f:
                    53:74:ec:55:e0:2f:21:0f:79:49:73:a0:d9:f0:ae:
                    d3:17:e2:3d:50:fb:cf:d9:81:5c:23:6a:fa:ae:8f:
                    92:f4:42:af:95:b3:28:80:d9:db:f5:68:16:f5:eb:
                    2d:84:91:2a:ad:d7:9d:c4:f6:91:83:08:8e:bc:cd:
                    27:8c:d5:2d:ea:71:34:2d:9e:d9:fd:59:46:33:f6:
                    b0:c4:e5:fa:a6:0b:09:6d:cb:7c:aa:de:01:b0:52:
                    3b:af:87:fa:b6:16:52:4a:45:54:1e:ce:4d:68:e4:
                    d0:89
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                8F:95:08:25:6C:87:32:5C:2C:BC:C7:2D:30:1E:69:F5:26:36:BF:D7
            X509v3 Authority Key Identifier: 
                14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name: 
                DNS:*.askubuntu.com, DNS:*.blogoverflow.com, DNS:*.mathoverflow.net, DNS:*.meta.stackexchange.com, DNS:*.meta.stackoverflow.com, DNS:*.serverfault.com, DNS:*.sstatic.net, DNS:*.stackexchange.com, DNS:*.stackoverflow.com, DNS:*.stackoverflow.email, DNS:*.superuser.com, DNS:askubuntu.com, DNS:blogoverflow.com, DNS:mathoverflow.net, DNS:openid.stackauth.com, DNS:serverfault.com, DNS:sstatic.net, DNS:stackapps.com, DNS:stackauth.com, DNS:stackexchange.com, DNS:stackoverflow.blog, DNS:stackoverflow.com, DNS:stackoverflow.email, DNS:stacksnippets.net, DNS:superuser.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
                                EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
                    Timestamp : May  8 14:13:04.851 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:39:CE:40:26:A2:CE:3E:80:70:EC:13:8E:
                                70:BF:21:33:1F:9A:17:67:6B:46:6B:DC:BC:55:57:E7:
                                4B:CC:5E:2C:02:20:2F:B5:07:A1:63:56:34:FB:FE:20:
                                AC:05:62:1B:1F:FA:FD:2F:EC:2C:E9:F6:96:87:A5:B7:
                                85:E4:FC:C2:0B:2D
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
                                11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
                    Timestamp : May  8 14:13:04.897 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:F8:AA:7D:72:B4:E2:FB:C1:E2:31:98:
                                83:33:AD:17:32:C8:CD:C7:E4:3B:2A:3D:61:73:AC:BC:
                                69:26:B4:7C:95:02:20:55:DA:0A:4C:27:E3:9B:39:96:
                                88:07:BF:7D:5A:B7:DC:83:E7:7D:14:AE:E8:76:28:48:
                                A7:D5:89:47:19:B4:47
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        a0:f9:b8:ff:b3:1e:c6:ba:e5:bd:ab:62:d5:b9:76:09:97:41:
        ef:69:b2:48:1a:87:f6:98:7b:03:0e:03:15:0d:50:15:9c:6c:
        0d:b8:4c:34:5d:fc:a6:98:b4:40:71:48:60:d1:67:21:af:e5:
        da:9c:e6:35:83:c4:53:4b:8b:1a:f1:ee:54:ef:85:48:f5:c3:
        a5:9d:9e:69:ec:45:40:23:3b:e2:d8:2c:0d:70:58:91:a7:82:
        5f:e7:5e:4b:6a:f6:ab:dc:ea:b1:12:9d:83:b2:95:79:99:ef:
        4e:f4:41:9f:8e:21:49:c3:61:e0:9d:f1:e9:6a:96:b2:33:7e:
        04:66:d2:29:fe:c1:a0:b8:3d:95:c2:68:28:f1:87:e3:99:cd:
        18:34:89:9e:9e:99:ca:03:69:1c:7e:4d:41:90:96:2c:3e:b2:
        36:d7:0c:48:b5:5f:c7:5b:93:d3:ff:35:a3:51:ff:10:af:ac:
        cf:7d:cd:6d:ab:5b:d6:8a:21:a5:bd:b0:24:9c:2f:bd:65:fd:
        05:d6:cf:6f:a1:67:77:06:a6:54:b6:9e:0c:5e:cc:2a:28:f8:
        af:f0:9e:02:f8:28:f6:74:47:3f:d2:db:6a:6c:23:cf:53:61:
        de:eb:91:8b:42:28:e4:d6:f3:75:56:d3:41:fd:68:ed:fd:a3:
        7f:14:7e:db
notBefore=May  8 13:13:04 2022 GMT
notAfter=Aug  6 13:13:03 2022 GMT

Displaying a remote SSL certificate details using CLI tools

14 Answers14

Basic certificate info

Full certificate info

Linked