To check a remote server’s TLS/SSL certificate from your local computer, use the openssl command. At its most basic, the following command will do just that.
Note: Replace CHANGE_ME with your desired hostname or IP address and PORT with 443. SSL connections can listen on other ports, but port 443 will be used because that is what certcheck.sh currently supports.
echo | \
openssl s_client \
-showcerts \
-connect CHANGE_ME:PORT
That command returns the TLS certificate, the certificate chain, hashes, and much more. However, various certificate fields will not be displayed or be easy to read.
To view readable output that matches the same TLS/SSL certificate fields returned by certcheck.sh, use the following command, which filters the output for specific certificate fields.
Note: Replace CHANGE_ME with your desired hostname or IP address.
echo | \
openssl s_client \
-showcerts \
-servername CHANGE_ME \
-connect CHANGE_ME:443 \
2>/dev/null | \
openssl x509 \
-serial \
-fingerprint \
-sha256 \
-issuer \
-subject \
-dates \
-ext subjectAltName \
-noout
The output should closely resemble what certcheck.sh returns. However, results might differ when querying a hostname that resolves to different IP addresses depending on where the DNS request originates. More specifically, the backend service for certcheck.sh might resolve the entered hostname to different IP addresses compared to what your local computer resolves the entered hostname to. In those cases, the endpoint might return a certificate with the same subject and SANs, but with a different serial number, fingerprint, and validity dates. That is where the Authoritative DNS override text field can be used to enter a specific IP address to check directly, which would bypass DNS resolution entirely.