Check certificate (OpenSSL)
Basic check
Section titled “Basic check”Inspect certificate chain and TLS handshake for a host:port:
openssl s_client -connect ${{ HOST }}:${{ PORT }} -showcertsUseful options
Section titled “Useful options”-servername name— SNI (e.g. for virtual hosts):openssl s_client -connect ${{ HOST }}:${{ PORT }} -servername ${{ HOST }} -showcerts-starttls proto— for SMTP/IMAP etc.:openssl s_client -connect ${{ HOST }}:587 -starttls smtp -showcerts- Pipe to get only cert(s):
openssl s_client -connect ${{ HOST }}:${{ PORT }} -showcerts </dev/null 2>/dev/null | openssl x509 -noout -dates -subject -issuer
Expiry probe
Section titled “Expiry probe”Is the cert expiring within N days? -checkend exits 0 if it’s still valid
beyond that window, non-zero otherwise — perfect for a cron/monitoring probe:
openssl s_client -connect ${{ HOST }}:${{ PORT }} -servername ${{ HOST }} </dev/null 2>/dev/null \ | openssl x509 -noout -checkend $((30 * 86400)) \ && echo OK || echo "expires within 30 days"