Skip to content

Instantly share code, notes, and snippets.

@nsheridan

nsheridan/check_certs.go

Created September 11, 2018 11:24
Show Gist options
  • Save nsheridan/cd0a1af263252fd2ca2ba607a673f612 to your computer and use it in GitHub Desktop.
Save nsheridan/cd0a1af263252fd2ca2ba607a673f612 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
check_certs.go
package main
import (
"crypto/tls"
"crypto/x509"
"flag"
"fmt"
"log"
"os"
"strings"
"time"
)
var (
server = flag.String("server", "", "host[:port] of the server to check")
sni = flag.String("sni", "", "Use an alternative server name")
verifycert = flag.Bool("verify", false, "Verify that the presented cert chain is valid")
)
func main() {
flag.Parse()
var name string
if !strings.Contains(*server, ":") {
name = *server
*server = *server + ":443"
}
if *sni != "" {
name = *sni
}
conf := &tls.Config{
InsecureSkipVerify: true, // skip verification so we can print the cert chain.
ServerName: name,
}
conn, err := tls.Dial("tcp", *server, conf)
if err != nil {
log.Fatal(err)
}
state := conn.ConnectionState()
for i, cert := range state.PeerCertificates {
expires := int(cert.NotAfter.Sub(time.Now()).Hours() / 24)
fmt.Printf("%d: %s SAN: %v Expires: %d days\n", i, cert.Subject.CommonName, cert.DNSNames, expires)
}
if *verifycert {
cert := state.PeerCertificates[0]
chain := x509.NewCertPool()
for _, i := range state.PeerCertificates[1:] {
chain.AddCert(i)
}
opts := x509.VerifyOptions{
DNSName: name,
Intermediates: chain,
}
_, err := cert.Verify(opts)
if err != nil {
fmt.Printf("Invalid certificate chain: %s\n", err)
os.Exit(1)
}
fmt.Println("Certificate chain is valid")
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment