Scripting OpenSSL just to extract Certificate Chain and Cert Expiry date

Pavol Kutaj

·

Follow

2 min read

·

Jan 20, 2021

--

Listen

Share

usecase

• The concern is documenting the need to quickly check the
• certificate chain
• certificate expiry date
• using a single command from PowerShell with OpenSSL

1. steps

function test-certificate($domain) {
    $domain += ":443"
    openssl s_client -connect $domain | sls "certificate chain" -Context 5
    openssl

• and

openssl s_client -connect github.com:443 | openssl x509 -noout -enddate

2. passing the “Q” key into the command

• s_client opens the client that is awaiting for the input
• I need to pass the q into the script for the s_client to end gracefully and immediatelly
• which is achieved with write-output "q" | ...
• echo is alias for write-output cmdlet

echo "q" | openssl s_client -connect github:443

3. solution

• just adding the following to the $profile
• passing the domain e.g. cert github.com and pressing Q to continue
• this is just for a quick interactive check

#$profile
function test-certificate($domain, $contextLength = 10) {
    
    $domain += ":443"
    echo "q" | openssl s_client -connect $domain | openssl x509 -noout -enddate | sls "notAfter.*"
    echo "q" | openssl s_client -connect $domain | sls "certificate chain" -Context $contextLength
    write-host "~~~" -ForegroundColor darkcyan
    write-host "If needed, pass a desired output length after domainname" -ForegroundColor darkcyan
}
Set-Alias cert test-certificate

4. sources

• https://superuser.com/a/1250038/1083809
• https://stackoverflow.com/a/34749879/11082684