Verify TLS certificate via CLI

TLS is everywhere these days (thankfully!), and while browsers do a pretty good job of letting you know when a cert is no good, sometimes you need to do it from the terminal.

openssl s_client -connect $HOST:$PORT

For example, for google.com we see

This lets use see that the cert is valid, but what if we want to check the issuance and expiry dates? Easy.

openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -dates

If you want to connect to an IPv6 host (by IP, rather than hostname), enclose the IP address in square brackets, as follows:

openssl s_client -servername google.com -connect [2607:f8b0:4005:801::200e]:443