Command-line TLS certificate inspector
Project description
certinspect
Command-line TLS certificate inspector.
Given one or more domains (or a .pem/.der file), it reports validity,
days to expiry, total validity period, subject, issuer, SAN, signature
algorithm, key size, SHA-256 fingerprint, CA flag, self-signed flag, key
usage and extended key usage, weak-crypto warnings, the negotiated TLS
version and cipher, and whether the hostname matches the certificate.
Requirements
- Python >= 3.10
Installation
pip install certinspect
From source (development)
python3 -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"
Usage
# Inspect a host
certinspect example.com
# Multiple hosts at once (batch mode)
certinspect example.com github.com api.example.com
# Custom port
certinspect example.com --port 8443
# Custom connection timeout in seconds (default: 5)
certinspect example.com --timeout 10
# JSON output (always a list of objects)
certinspect example.com --json
# Inspect a local certificate
certinspect --file ./certificate.pem
# Custom expiry warning threshold (default: 30 days)
certinspect example.com --days 14
# Only print certificates that have a problem
certinspect example.com github.com --quiet
# Verify the certificate chain against the system trust store
certinspect example.com --verify
# Save the fetched certificate as PEM
certinspect example.com --export ./fetched.pem
# Print the version
certinspect --version
Example
$ certinspect pypi.org --verify
=== pypi.org ===
Subject: CN=pypi.org
Status: VALID
Issuer: CN=GlobalSign Atlas R3 DV TLS CA 2025 Q4,O=GlobalSign nv-sa,C=BE
Valid from: 2025-12-28 04:33:08+00:00
Valid until: 2027-01-29 04:33:07+00:00
Days to expiry: 217
Total validity: 396 days
Serial number: 1587345912129534630556007389588586994
Signature: sha256WithRSAEncryption
Key size: 2048 bit
Fingerprint: 15:58:1C:41:02:3F:07:89:85:31:4E:7D:4C:4F:8A:CA:BF:05:C7:F6:...
CA: False
Self-Signed: False
TLS version: TLSv1.3
Cipher: TLS_AES_128_GCM_SHA256
Key usage: digital_signature, key_encipherment
Ext. key usage: serverAuth, clientAuth
Hostname match: True
Chain trusted: True
Revocation: GOOD
SAN:
- pypi.org
- *.pypi.org
- www.pypi.org
- donate.pypi.org
With --verify, certinspect opens a fully verified TLS handshake (chain +
hostname against the Python/OpenSSL trust store) and, when the certificate
advertises an OCSP responder, queries it for the revocation status. OCSP is
soft-fail: an unreachable responder reports UNAVAILABLE and does not change
the exit code, while a REVOKED status fails with exit code 6. Revocation is
not checked via CRLs.
Options
| Option | Description |
|---|---|
target... |
One or more domains to inspect. Omit when using --file. |
--file PATH |
Inspect a local certificate (PEM or DER) instead of a host. |
--port N |
TCP port to connect to (default: 443). |
--timeout N |
Connection timeout in seconds (default: 5). |
--json |
Print the result as JSON instead of human-readable text. |
--quiet |
Only print certificates that have a problem. |
--verify |
Verify the chain + OCSP revocation, system trust store (hosts only). |
--days N |
Warn if the certificate expires within N days (default: 30). |
--export PATH |
Save the inspected certificate as a PEM file at PATH. |
--version |
Print the version and exit. |
Exit codes
Designed for automation (cron, CI, monitoring scripts). In batch mode the worst code across all targets is returned.
| Code | Meaning |
|---|---|
| 0 | Valid certificate |
| 1 | Runtime error (network, file, parse) |
| 2 | Command-line usage error |
| 3 | Expiring within the --days threshold |
| 4 | Expired or with invalid dates |
| 5 | Hostname does not match the certificate |
| 6 | Chain not trusted or revoked (--verify) |
Example in a script:
certinspect yoursite.com --days 21
case $? in
0) ;; # all good
3) echo "Expiring" | mail -s "Warning" you@mail.com ;;
4) echo "Expired" | mail -s "Urgent" you@mail.com ;;
5) echo "Bad host" | mail -s "Urgent" you@mail.com ;;
*) echo "Check failed" ;;
esac
Development
# Tests
pytest
# Lint and formatting (Ruff)
ruff check src tests
ruff format src tests
License
MIT — see LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file certinspect-0.3.1.tar.gz.
File metadata
- Download URL: certinspect-0.3.1.tar.gz
- Upload date:
- Size: 18.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
55284c0141410f1ce969c7a32e17ff06f412219b4b2d73c3b6859ddffc1e557e
|
|
| MD5 |
58b0bf1b8d84749c837207185ca98f7a
|
|
| BLAKE2b-256 |
36269d6c3e0121f786d1436fcf9a7493e6b059364ca9cab8420580a7443a5a3b
|
File details
Details for the file certinspect-0.3.1-py3-none-any.whl.
File metadata
- Download URL: certinspect-0.3.1-py3-none-any.whl
- Upload date:
- Size: 13.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c15d8082ae5fa25b09f0f8b82cab908107b0cbf12d23742395122745bc295ffc
|
|
| MD5 |
15e2e4ee1d7e343e8890325cd258bf13
|
|
| BLAKE2b-256 |
77cfbf52a4ec8a48167b73236456dc8d8404b8a0445c4c6bc8c9e7c80230108f
|
