QZ qz thoughts
a blog from Eli the Bearded

getcert


I've typed these commands in by hand dozens of times over the years. But today I decided, "No more, script it."

So here's a simple script that takes a hostname, with optional port, and optional output filter. It makes an SSL connection to the given host, and extracts the certificate presented. With the validity filter, you can see the dates the cert is good for. With the dns filter, you can see hostnames the cert covers.

#!/bin/sh

host=$1
port=443

full() { cat; }
valid() { grep -A2 'Validity'; }
dns() { grep -E '(Subject.*CN *=|DNS *:)'; }

case "$host" in
        *:*) connect="$host" ;;
        ?*)   connect="$host:$port" ;;
        *) echo "usage: host[:port] { full | valid | dns }"
           exit 2
           ;;
esac
filter="full"

case "$2" in
        full) filter="full" ;;
        val*) filter="valid" ;;
        dns*) filter="dns" ;;
esac

: | openssl s_client -connect "$connect" 2> /dev/null |
    openssl x509 -noout -text |
    $filter
exit

Some examples of it in use:

$ getcert www.cvs.com dns      
        Subject: C = US, ST = Rhode Island, L = Woonsocket, O = CVS
Pharmacy Inc, OU = CVS Caremark Corporation, CN = www.cvs.com
                DNS:www.cvs.com, DNS:www.minuteclinic.com,
DNS:www.cvshealth.com, DNS:voices.cvshealth.com,
DNS:videovisit.cvs.com, DNS:vaccines.cvs.com,
DNS:vaccines-west.cvs.com, DNS:vaccineclinicscheduler.cvs.com,
DNS:tnl-photo.cvs.com, DNS:t.cvs.com, DNS:static.cvs.com,
DNS:services.cvshealth.com, DNS:services.cvs.com,
DNS:scheduling.minuteclinic.com, DNS:r.cvs.com, DNS:photohelp.cvs.com,
DNS:photo-store.cvs.com, DNS:photo-smetrics.cvs.com,
DNS:photo-metrics.cvs.com, DNS:payments.cnpapi.cvs.com,
DNS:optical.cvs.com, DNS:mypassword.cvshealth.com,
DNS:mypassword.cvs.com, DNS:myhr.cvs.com,
DNS:mychart.minuteclinic.com, DNS:mobile.cvs.com,
DNS:minuteclinic.com, DNS:message.cvs.com, DNS:meddplanfinder.cvs.com,
DNS:m.cvs.com, DNS:i.cvs.com, DNS:health.cvs.com, DNS:flushot.cvs.com,
DNS:express.cvs.com, DNS:es.minuteclinic.com, DNS:es.cvs.com,
DNS:entservices.cvs.com, DNS:e.cvs.com, DNS:depservices.cvs.com,
DNS:ddl.cvs.com, DNS:d.cvs.com, DNS:cvs.com,
DNS:citrix.minuteclinic.com, DNS:circular.cvs.com,
DNS:catools-photo.cvs.com, DNS:cvsh-tv.cvs.com, DNS:c.cvs.com,
DNS:seo.cvs.com, DNS:s.cvs.com, DNS:ds.cvs.com, DNS:design.cvs.com,
DNS:alvie.cvs.com, DNS:smartbytes.minuteclinic.com, DNS:care.cvs.com,
DNS:www.care.cvs.com
$
$
$ getcert www.nato.int valid
        Validity
            Not Before: Dec 17 14:09:55 2020 GMT
            Not After : Dec 31 22:59:59 2021 GMT
$

There you have it. CVS has a list of subject alternative names (SANs) as long as a CVS receipt, and you now know what to get NATO for xmas.