whatsthatcert -- fetch the TLS cert from a given site


Sometimes it can be useful to check what the x509 certificate used by a given endpoint is. Of course this can trivially be done from the command-line:

</dev/null openssl s_client -connect hostname:443 |
        openssl x509 -noout -text

But what if you are being MitM'd, either by some evil entity, or perhaps by one of those middle boxes used in corporate environments?

Well, then you'd be seeing a different certificate. Wouldn't it be nice to have an easy way to ask: "What would the certificate be if I connected from somewhere else?"

This endpoint here can do just that: you provide a hostname, and it will connect to that hostname and then show you the certificate it observed. That's all.

Now of course it's possible that whatever mechanism is intercepting the connection between you and the destination is also intercepting the connection to this service, but actual rewriting of content is, in most cases, unlikely.

(There are, of course, many other reasons why you might see a different cert than what I see -- CDNs and geo-targeting, for example. But even then it might be useful to be able to tell.)

curl(1) Examples

In case you want to just run this on the command-line yourself, here are some examples:

# Just the PEM cert:
curl -s "https://www.netmeister.org/whatsthatcert/?h=www.yahoo.com"
# The full chain in PEM format:
curl -s "https://www.netmeister.org/whatsthatcert/?h=www.yahoo.com&out=chain"
# Just the SHA1 fingerprint, this time from an alternate port:
curl -s "https://www.netmeister.org/whatsthatcert/?h=tls-v1-0.badssl.com:1010&out=fp"
# Using an SNI
curl -s "https://www.netmeister.org/whatsthatcert/?h=104.154.89.105&s=sha256.badssl.com"
# And of course IPv6 works, too:
curl -s "https://www.netmeister.org/whatsthatcert/?h=2001:4998:44:3507::7000"
curl -s "https://www.netmeister.org/whatsthatcert/?h=[2001:4998:44:3507::7000]:443"

As a quick check to see if you're being MitM'd, you could then:

$ </dev/null openssl s_client -connect www.yahoo.com:443 2>>/dev/null | 
        openssl x509 -fingerprint -noout
SHA1 Fingerprint=F7:27:7C:0C:BF:D4:53:F4:F9:A3:AF:F2:31:32:ED:88:03:0B:D7:E6
$ curl -s "https://www.netmeister.org/whatsthatcert/?h=www.yahoo.com&out=fp"
SHA1 Fingerprint=69:F9:48:E4:6D:B5:F8:AE:04:B2:F6:C4:15:77:49:86:D3:1B:25:33
$ 

or, if you want to save yourself some typing on subsequent invocations:

x509fp() {
        </dev/null openssl s_client -connect $1:443 2>/dev/null | \
                openssl x509 -fingerprint -noout
}

whatsthatcert() {
	curl -s "https://www.netmeister.org/whatsthatcert/?h=$1&$2"
}

am-i-being-mitmd() {
        diff <(x509fp $1) <(whatsthatcert $1 out=fp) || \
                echo "Yep, looks like we're being MitM'd."
}

$ am-i-being-mitmd www.yahoo.com
1c1
< SHA1 Fingerprint=F7:27:7C:0C:BF:D4:53:F4:F9:A3:AF:F2:31:32:ED:88:03:0B:D7:E6
---
> SHA1 Fingerprint=69:F9:48:E4:6D:B5:F8:AE:04:B2:F6:C4:15:77:49:86:D3:1B:25:33
Yep, looks like we're being MitM'd.


If curl(1) is not your thing, here's a web form, too:

Hostname / IP:
Port (optional):
SNI (optional):
Format: Leaf cert in PEM format
Full chain in PEM format
SHA1 Fingerprint

[Made by @jschauma] | [Other Signs of Triviality] | [main page]