How to Check SSL Certificate Details Using Curl

This article provides a quick guide on how to inspect and verify SSL/TLS certificate details directly from your command line using curl. You will learn the specific commands required to retrieve essential certificate information—such as the issuer, common name, and expiration date—and how to filter the verbose output to find exactly what you need.

The Basic Curl Command

To view SSL certificate details, you must run curl in verbose mode. By default, curl sends its transfer details and SSL handshake information to the standard error (stderr) stream.

The standard command to initiate this check is:

curl -Iv https://example.com

Here is what the flags mean: * -I (or --head): Fetches only the HTTP headers instead of downloading the entire page content, keeping the output clean. * -v (or --verbose): Enables verbose mode, which outputs the TLS handshake, cipher suites, and certificate details.

Filtering the Output for Specific Details

Because the verbose output of curl contains a lot of connection data, you can redirect standard error to standard output (2>&1) and use grep to filter for specific SSL certificate details.

1. Check the Expiration Date

To quickly find when an SSL certificate was issued and when it expires, use the following command:

curl -Iv https://example.com 2>&1 | grep -E "start date|expire date"

Example Output:

*  start date: Oct 24 00:00:00 2023 GMT
*  expire date: Oct 23 23:59:59 2024 GMT

2. Check the Certificate Issuer

To find out which Certificate Authority (CA) issued the SSL certificate, run:

curl -Iv https://example.com 2>&1 | grep "issuer"

Example Output:

*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1

3. Check the Common Name (Subject)

To verify the domain name (Common Name) for which the certificate was issued, use:

curl -Iv https://example.com 2>&1 | grep "subject"

Example Output:

*  subject: C=US; L=Denver; O=Example Corp; CN=www.example.com

Checking Certificates on Non-Standard Ports

If you need to check an SSL certificate on a port other than 443 (for example, a mail server on port 465 or a custom API port), simply append the port number to the URL:

curl -Iv https://example.com:8443 2>&1 | grep -i "expire"

Handling Self-Signed or Invalid Certificates

If a website uses an expired, self-signed, or otherwise invalid SSL certificate, curl will block the connection by default and throw an error. To bypass this security check and still inspect the certificate details, add the -k (or --insecure) flag:

curl -Ivk https://example.com 2>&1 | grep -E "expire|issuer"