Skip to main content

Simple OpenSSL for humans: all you need for X.509 TLS certificates (and nothing more)

Project description

showcert - simple OpenSSL for humans

showcert consist of two CLI utilities: showcert itself - all 'read' operations with X.509 certificates and gencert - to create certificates for development purposes.

showcert tries to follow these principles:

  • Simple things must be simple. More complex things may require some options.
  • Be simple and cover 9/10 routine certificate-related tasks.
  • If showcert missing some rarely used feature and user needs to use openssl for it - okay.

showcert

micro-cheatsheet (only 5 most often used commands):

# Remote:
showcert github.com
showcert smtp.google.com:25
# save remote certificate or whole --chain
showcert --chain -o pem google.com > google-fullchain.pem

# Local:
# -i for insecure (process self-signed or expired certificates)
showcert -i /etc/ssl/certs/ssl-cert-snakeoil.pem
# letsencrypt-special sugar
sudo showcert -q :le -w50 || echo local LetsEncrypt certificates will expire in less then 50 days
# You will never forget how to use it:
$ showcert github.com
IP: 140.82.121.3
Names: github.com www.github.com
notBefore: 2022-03-15 00:00:00 (182 days old)
notAfter: 2023-03-15 23:59:59 (183 days left)
Issuer: C=US O=DigiCert Inc CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1

# Compare it against openssl:
# two redirections, pipe, two invocations and 5 unneeded options
$ openssl s_client -connect github.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text

# View Google SMTP server cert. starttls mode selected automatically. Same for POP3/IMAP and any simple TLS service
$ showcert smtp.google.com:25

# Save full chain of google.com certificates to local PEM file
$ showcert --chain -o pem google.com > google-fullchain.pem

# Warn about any LetsEncrypt cert which will expire in 50 days or less
# :le is just special token, replaced to /etc/letsencrypt/live/*/fullchain.pem
$ sudo showcert -q :le -w50 || echo panic
/etc/letsencrypt/live/my.example.com/fullchain.pem expires in 47 days
panic

STARTTLS implementation

showcert has built-in support for STARTTLS for SMTP (port 25), POP3 (port 110) and IMAP (port 143). You can select proper method with --starttls option (or disable it with --starttls no), but default value (auto) is OK for most cases. This option is needed only if you test servers on non-standard ports.

Exit code

showcert will return non-zero exit code (1) in case of any error (including expired certificate or host mismatch). If -w DAYS used, non-zero (2) will be returned for valid certificates, which will expire in DAYS days or sooner.

Usage

$ bin/showcert -h
usage: showcert [-h] [-i] [--output OUTPUT] [-c] [-w [DAYS]] [-q] [-n NAME] [-t METHOD] [-l TIME]
                [--ca CA] [--net]
                CERT [CERT ...]

Show local/remote SSL certificate info v0.1.15

positional arguments:
  CERT                  path, - (stdin), ":le" (letsencrypt cert path), hostname or hostname:port

optional arguments:
  -h, --help            show this help message and exit
  -i, --insecure        Do not verify remote certificate
  --output OUTPUT, -o OUTPUT
                        output format: brief, full, names, dnames (for certbot), pem, no.
  -c, --chain           Show chain (not only server certificate)
  -w [DAYS], --warn [DAYS]
                        Warn about expiring certificates (def: 20 days)

Rarely needed options:
  -q, --quiet           Quiet mode, same as --output no
  -n NAME, --name NAME  name for SNI (if not same as CERT host)
  -t METHOD, --starttls METHOD
                        starttls method: auto (default, and OK almost always), no, imap, smtp, pop3
  -l TIME, --limit TIME
                        socket timeout (def: 5)
  --ca CA               path to trusted CA certificates, def: /usr/local/lib/python3.9/dist-packages/certifi/cacert.pem
  --net                 Force network check (if you want to check host and have file/dir with same name in current directory)

Examples:  
  # just check remote certificate
  bin/showcert example.com

  # check SMTP server certificate (autodetected: --starttls smtp )
  bin/showcert smtp.google.com:25

  # save fullchain from google SMTP to local PEM file
  bin/showcert --chain -o pem google.com > google-fullchain.pem
  
  # look for expiring letsencrypt certificates 
  # :le is alias for /etc/letsencrypt/live/*/fullchain.pem 
  bin/showcert :le -q -w 20 || echo "expiring soon!"

gencert

Gencert is simple tool to quickly generate X.509 certificates for development purposes. I am not sure if they are very secure. Do not use it in real production!

Generate self-signed cert

gencert example.com www.example.com

This will make example.com.pem file with both certificate and key in one file. Add --key example.com.key to store key in separate file. Add --cert mycert.pem to store certificate in different file name.

Your own CA in two simple commands

Generate CA cert/key:

gencert --ca "My own CA"

This will make My-own-CA.pem and private key My-own-CA.key (Override with --cert and --key).

Generate signed certificate:

gencert --cacert My-own-CA.pem example.com

Done!

--cacert is required, --cakey is optional (omitted in example), gencert will look for CA private key in following order:

  • in--cakey PEM file (if given)
  • in --cacert PEM file (if will be found there).
  • guessed filename. If --cacert is CA.pem, gencert will try to load from CA.key.

You may verify certificate with showcert and openssl:

# verify with showcert (unless '-i' given, showcert expects a valid certificate)
$ showcert --ca MyCA.pem example.com.pem
Names: example.com
notBefore: 2024-01-26 11:30:24 (0 days old)
notAfter: 2025-01-25 11:30:24 (364 days left)
Issuer: CN=MyCA

# verify with openssl
$ openssl verify -CAfile MyCA.pem example.com.pem 
example.com.pem: OK

Installation

pipx install showcert

Or right from repo: pipx install git+https://github.com/yaroslaff/showcert

Or use old way via pip/pip3:

  • pip3 install showcert (just install)
  • pip3 install -U showcert (upgrade)
  • pip3 install -U git+https://github.com/yaroslaff/showcert (install/upgrade from git)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

showcert-0.2.7.tar.gz (13.7 kB view details)

Uploaded Source

Built Distribution

showcert-0.2.7-py3-none-any.whl (12.8 kB view details)

Uploaded Python 3

File details

Details for the file showcert-0.2.7.tar.gz.

File metadata

  • Download URL: showcert-0.2.7.tar.gz
  • Upload date:
  • Size: 13.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: python-httpx/0.27.0

File hashes

Hashes for showcert-0.2.7.tar.gz
Algorithm Hash digest
SHA256 b79181b4a81d57abd5a1b4e9d328c6203649da7157f24dddf38cc256ffa102d9
MD5 8d36cd1832034dc0bbb6687bc742016b
BLAKE2b-256 888b689e7a20f3efca7ba240b9cda44f00ed2797cf2c4cd58cd5185f5d781b39

See more details on using hashes here.

File details

Details for the file showcert-0.2.7-py3-none-any.whl.

File metadata

  • Download URL: showcert-0.2.7-py3-none-any.whl
  • Upload date:
  • Size: 12.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: python-httpx/0.27.0

File hashes

Hashes for showcert-0.2.7-py3-none-any.whl
Algorithm Hash digest
SHA256 a4fdf3612edceb976b9cee7e8c153e550d707cb1a2491bea8a27f6b58bc09912
MD5 12197b160a08beecea1c127b7da57932
BLAKE2b-256 e2fc80f8bccd2f17fd0dfac461b15623dfebdebdbce6cd3a55d442570db9b729

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page