Retrieve Full Chain from target, split the certs and report on them
658eb246 — Frank Brodbeck 1 year, 1 month ago
license added
2e4ee0b9 — Frank Brodbeck 1 year, 1 month ago
split certificates online


browse  log 



You can also use your local clone with git send-email.


Retrieve certificate chain from server via openssl s_client and output each cert.

split-certs-online tries to deduct if starttls is necessary and what protocol to use by taking an educated guess based on the port provided


No more manual splitting of the output of s_client and fiddling with x509.


usage: split-certs-online.sh: <host:port> [prot]

	host  IP address or hostname
	port  port to connect to
	prot  starttls protocol to use with `openssl s_client'
	      can be either smtp, pop3, imap, xmpp or none

    If no protocol has been specified we use the protocol associated.

Example for https

[*] Report for sr.ht:443
[-] subject= /CN=sr.ht
    issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    notBefore=Apr 30 11:36:38 2020 GMT
    notAfter=Jul 29 11:36:38 2020 GMT
[-] subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
    notBefore=Mar 17 16:40:46 2016 GMT
    notAfter=Mar 17 16:40:46 2021 GMT
[*] done.

Example for SMTP with STARTTLS

[!] using smtp for STARTTLS
[*] Report for gmail-smtp-in.l.google.com:25
[-] subject= /C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com
    issuer= /C=US/O=Google Trust Services/CN=GTS CA 1O1
    notBefore=May 26 15:28:50 2020 GMT
    notAfter=Aug 18 15:28:50 2020 GMT
[-] subject= /C=US/O=Google Trust Services/CN=GTS CA 1O1
    issuer= /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
    notBefore=Jun 15 00:00:42 2017 GMT
    notAfter=Dec 15 00:00:42 2021 GMT
[*] done.