Helper tooling for certificate management
Benefits:
- Static binary builds
- Does not require any host tools/packages
Installation
Linux
Install one of the packages (.deb
or .rpm
from the releases page)
Or install manually:
- Replace
${VERSION}
with the appropriate release version (e.g. 0.0.3
)
- Download the
crtool
:
wget -O crtool https://github.com/sgnn7/crtool/releases/download/v${VERSION}/crtool_linux && \
chmod +x ./crtool
macOS
- Replace
${VERSION}
with the appropriate release version (e.g. 0.0.3
)
- Download the
crtool
:
wget -O crtool https://github.com/sgnn7/crtool/releases/download/v${VERSION}/crtool_darwin && \
chmod +x ./crtool
Windows
- Replace
${VERSION}
with the appropriate release version (e.g. 0.0.3
)
- Download the
crtool
:
wget -O crtool.exe https://github.com/sgnn7/crtool/releases/download/v${VERSION}/crtool.exe
Usage
Verify certifcates of target server
crtool verify -t <target> [-p port]
Note: This command supports verification of file-provided PEM certs too if you
specify the file://
schema:
crtool verify -t file://path/to/file.crt
Currently this verifies per connection:
- Hostname
- System's CA certificate chain
- Issuer's CN
- Issuer's Signature
Currently this verifies per-cert fields:
Examples
Verify an expired cert
crtool verify -t expired.badssl.com
Verify a valid cert
crtool verify -t expired.badssl.com
Verify certificate(s) in a file
crtool verify -t file://server.crt
Dump certifcates of target server to output. Works with self-signed certificates!
crtool dump -t <target> [-p port] [-o file] [-e < pem | der >]
Note: This command supports using file-provided PEM-encoded certs if you specify the
file://
schema which is useful in transcoding.
crtool dump -t file://server.pem -o server.der -e der
Examples
Dump certifates from an https server to stdout in PEM encoding:
crtool dump -t google.com
Dump certifates from an https server into a file:
crtool dump -t google.com -o certs.txt
Dump leaf certifate from an https server into a file in DER encoding:
crtool dump -t google.com -o cert.der -e der
Dump certifates from an https server on a custom port into a file:
crtool dump -t google.com -p 8443 -o certs.txt
Dump certificates from an https server and pass it to another program
crtool dump -t google.com | cat