| Name | showcert JSON |
| Version |
0.2.9
JSON |
| download |
| home_page | None |
| Summary | Simple OpenSSL for humans: all you need for X.509 TLS certificates (and nothing more) |
| upload_time | 2024-11-21 17:31:18 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.8 |
| license | MIT License
Copyright (c) 2022 Yaroslav Polyakov
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE. |
| keywords |
ca
ssl
tls
x.509
x509
alternative
certificate
gencert
generate
local
openssl
remote
showcert
simple
verify
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# showcert - simple OpenSSL for humans
showcert consist of two CLI utilities: `showcert` itself - all 'read' operations with X.509 certificates and `gencert` - to create certificates for development purposes.
showcert tries to follow these principles:
- Simple things must be simple. More complex things may require some options.
- Be simple and cover 9/10 routine certificate-related tasks.
- If showcert missing some rarely used feature and user needs to use openssl for it - okay.
## showcert
micro-cheatsheet (only 5 most often used commands):
~~~bash
# Remote:
showcert github.com
showcert smtp.google.com:25
# save remote certificate or whole --chain
showcert --chain -o pem google.com > google-fullchain.pem
# Local:
# -i for insecure (process self-signed or expired certificates)
showcert -i /etc/ssl/certs/ssl-cert-snakeoil.pem
# letsencrypt-special sugar
sudo showcert -q :le -w50 || echo local LetsEncrypt certificates will expire in less then 50 days
~~~
~~~bash
# You will never forget how to use it:
$ showcert github.com
IP: 140.82.121.3
Names: github.com www.github.com
notBefore: 2022-03-15 00:00:00 (182 days old)
notAfter: 2023-03-15 23:59:59 (183 days left)
Issuer: C=US O=DigiCert Inc CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
# Compare it against openssl:
# two redirections, pipe, two invocations and 5 unneeded options
$ openssl s_client -connect github.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text
# View Google SMTP server cert. starttls mode selected automatically. Same for POP3/IMAP and any simple TLS service
$ showcert smtp.google.com:25
# Save full chain of google.com certificates to local PEM file
$ showcert --chain -o pem google.com > google-fullchain.pem
# Warn about any LetsEncrypt cert which will expire in 50 days or less
# :le is just special token, replaced to /etc/letsencrypt/live/*/fullchain.pem
$ sudo showcert -q :le -w50 || echo panic
/etc/letsencrypt/live/my.example.com/fullchain.pem expires in 47 days
panic
~~~
### STARTTLS implementation
showcert has built-in support for STARTTLS for SMTP (port 25), POP3 (port 110) and IMAP (port 143). You can select proper method with `--starttls` option (or disable it with `--starttls no`), but default value (`auto`) is OK for most cases. This option is needed only if you test servers on non-standard ports.
### Exit code
showcert will return non-zero exit code (1) in case of any error (including expired certificate or host mismatch).
If `-w DAYS` used, non-zero (2) will be returned for valid certificates, which will expire in `DAYS` days or sooner.
### Usage
~~~shell
$ bin/showcert -h
usage: showcert [-h] [-i] [--output OUTPUT] [-c] [-w [DAYS]] [-q] [-n NAME] [-t METHOD] [-l TIME]
[--ca CA] [--net]
CERT [CERT ...]
Show local/remote SSL certificate info v0.1.15
positional arguments:
CERT path, - (stdin), ":le" (letsencrypt cert path), hostname or hostname:port
optional arguments:
-h, --help show this help message and exit
-i, --insecure Do not verify remote certificate
--output OUTPUT, -o OUTPUT
output format: brief, full, names, dnames (for certbot), pem, no.
-c, --chain Show chain (not only server certificate)
-w [DAYS], --warn [DAYS]
Warn about expiring certificates (def: 20 days)
Rarely needed options:
-q, --quiet Quiet mode, same as --output no
-n NAME, --name NAME name for SNI (if not same as CERT host)
-t METHOD, --starttls METHOD
starttls method: auto (default, and OK almost always), no, imap, smtp, pop3
-l TIME, --limit TIME
socket timeout (def: 5)
--ca CA path to trusted CA certificates, def: /usr/local/lib/python3.9/dist-packages/certifi/cacert.pem
--net Force network check (if you want to check host and have file/dir with same name in current directory)
Examples:
# just check remote certificate
bin/showcert example.com
# check SMTP server certificate (autodetected: --starttls smtp )
bin/showcert smtp.google.com:25
# save fullchain from google SMTP to local PEM file
bin/showcert --chain -o pem google.com > google-fullchain.pem
# look for expiring letsencrypt certificates
# :le is alias for /etc/letsencrypt/live/*/fullchain.pem
bin/showcert :le -q -w 20 || echo "expiring soon!"
~~~
## gencert
Gencert is simple tool to quickly generate X.509 certificates **for development purposes**.
I am not sure if they are very secure. Do not use it in real production!
### Generate self-signed cert
~~~shell
gencert example.com www.example.com
~~~
This will make `example.com.pem` file with both certificate and key in one file. Add `--key example.com.key` to store key in separate file. Add `--cert mycert.pem` to store certificate in different file name.
### Your own CA in two simple commands
Generate CA cert/key:
~~~shell
gencert --ca "My own CA"
~~~
This will make My-own-CA.pem and private key My-own-CA.key (Override with `--cert` and `--key`).
Generate signed certificate:
~~~shell
gencert --cacert My-own-CA.pem example.com
~~~
Done!
`--cacert` is required, `--cakey` is optional (omitted in example), gencert will look for CA private key in following order:
- in`--cakey` PEM file (if given)
- in `--cacert` PEM file (if will be found there).
- guessed filename. If `--cacert` is CA.pem, gencert will try to load from CA.key.
You may verify certificate with showcert and openssl:
~~~shell
# verify with showcert (unless '-i' given, showcert expects a valid certificate)
$ showcert --ca MyCA.pem example.com.pem
Names: example.com
notBefore: 2024-01-26 11:30:24 (0 days old)
notAfter: 2025-01-25 11:30:24 (364 days left)
Issuer: CN=MyCA
# verify with openssl
$ openssl verify -CAfile MyCA.pem example.com.pem
example.com.pem: OK
~~~
## Installation
`pipx install showcert`
Or right from repo: `pipx install git+https://github.com/yaroslaff/showcert`
Or use old way via pip/pip3:
- `pip3 install showcert` (just install)
- `pip3 install -U showcert` (upgrade)
- `pip3 install -U git+https://github.com/yaroslaff/showcert` (install/upgrade from git)
Raw data
{
"_id": null,
"home_page": null,
"name": "showcert",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": null,
"keywords": "CA, SSL, TLS, X.509, X509, alternative, certificate, gencert, generate, local, openssl, remote, showcert, simple, verify",
"author": null,
"author_email": "Yaroslav Polyakov <yaroslaff@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/92/d1/088db6dde4188a26d1cf91108ebd768e344067a48365e2abe286cecd8b29/showcert-0.2.9.tar.gz",
"platform": null,
"description": "# showcert - simple OpenSSL for humans\n\nshowcert consist of two CLI utilities: `showcert` itself - all 'read' operations with X.509 certificates and `gencert` - to create certificates for development purposes.\n\nshowcert tries to follow these principles:\n- Simple things must be simple. More complex things may require some options. \n- Be simple and cover 9/10 routine certificate-related tasks.\n- If showcert missing some rarely used feature and user needs to use openssl for it - okay.\n\n\n## showcert\nmicro-cheatsheet (only 5 most often used commands):\n~~~bash\n# Remote:\nshowcert github.com\nshowcert smtp.google.com:25\n# save remote certificate or whole --chain\nshowcert --chain -o pem google.com > google-fullchain.pem\n\n# Local:\n# -i for insecure (process self-signed or expired certificates)\nshowcert -i /etc/ssl/certs/ssl-cert-snakeoil.pem\n# letsencrypt-special sugar\nsudo showcert -q :le -w50 || echo local LetsEncrypt certificates will expire in less then 50 days\n~~~\n\n~~~bash\n# You will never forget how to use it:\n$ showcert github.com\nIP: 140.82.121.3\nNames: github.com www.github.com\nnotBefore: 2022-03-15 00:00:00 (182 days old)\nnotAfter: 2023-03-15 23:59:59 (183 days left)\nIssuer: C=US O=DigiCert Inc CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1\n\n# Compare it against openssl:\n# two redirections, pipe, two invocations and 5 unneeded options\n$ openssl s_client -connect github.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text\n\n# View Google SMTP server cert. starttls mode selected automatically. Same for POP3/IMAP and any simple TLS service\n$ showcert smtp.google.com:25\n\n# Save full chain of google.com certificates to local PEM file\n$ showcert --chain -o pem google.com > google-fullchain.pem\n\n# Warn about any LetsEncrypt cert which will expire in 50 days or less\n# :le is just special token, replaced to /etc/letsencrypt/live/*/fullchain.pem\n$ sudo showcert -q :le -w50 || echo panic\n/etc/letsencrypt/live/my.example.com/fullchain.pem expires in 47 days\npanic\n~~~\n\n### STARTTLS implementation\nshowcert has built-in support for STARTTLS for SMTP (port 25), POP3 (port 110) and IMAP (port 143). You can select proper method with `--starttls` option (or disable it with `--starttls no`), but default value (`auto`) is OK for most cases. This option is needed only if you test servers on non-standard ports.\n\n### Exit code\nshowcert will return non-zero exit code (1) in case of any error (including expired certificate or host mismatch).\nIf `-w DAYS` used, non-zero (2) will be returned for valid certificates, which will expire in `DAYS` days or sooner.\n\n### Usage\n\n~~~shell\n$ bin/showcert -h\nusage: showcert [-h] [-i] [--output OUTPUT] [-c] [-w [DAYS]] [-q] [-n NAME] [-t METHOD] [-l TIME]\n [--ca CA] [--net]\n CERT [CERT ...]\n\nShow local/remote SSL certificate info v0.1.15\n\npositional arguments:\n CERT path, - (stdin), \":le\" (letsencrypt cert path), hostname or hostname:port\n\noptional arguments:\n -h, --help show this help message and exit\n -i, --insecure Do not verify remote certificate\n --output OUTPUT, -o OUTPUT\n output format: brief, full, names, dnames (for certbot), pem, no.\n -c, --chain Show chain (not only server certificate)\n -w [DAYS], --warn [DAYS]\n Warn about expiring certificates (def: 20 days)\n\nRarely needed options:\n -q, --quiet Quiet mode, same as --output no\n -n NAME, --name NAME name for SNI (if not same as CERT host)\n -t METHOD, --starttls METHOD\n starttls method: auto (default, and OK almost always), no, imap, smtp, pop3\n -l TIME, --limit TIME\n socket timeout (def: 5)\n --ca CA path to trusted CA certificates, def: /usr/local/lib/python3.9/dist-packages/certifi/cacert.pem\n --net Force network check (if you want to check host and have file/dir with same name in current directory)\n\nExamples: \n # just check remote certificate\n bin/showcert example.com\n\n # check SMTP server certificate (autodetected: --starttls smtp )\n bin/showcert smtp.google.com:25\n\n # save fullchain from google SMTP to local PEM file\n bin/showcert --chain -o pem google.com > google-fullchain.pem\n \n # look for expiring letsencrypt certificates \n # :le is alias for /etc/letsencrypt/live/*/fullchain.pem \n bin/showcert :le -q -w 20 || echo \"expiring soon!\"\n~~~\n\n## gencert\nGencert is simple tool to quickly generate X.509 certificates **for development purposes**.\nI am not sure if they are very secure. Do not use it in real production!\n\n### Generate self-signed cert\n~~~shell\ngencert example.com www.example.com\n~~~\nThis will make `example.com.pem` file with both certificate and key in one file. Add `--key example.com.key` to store key in separate file. Add `--cert mycert.pem` to store certificate in different file name.\n\n### Your own CA in two simple commands\nGenerate CA cert/key:\n~~~shell\ngencert --ca \"My own CA\"\n~~~\nThis will make My-own-CA.pem and private key My-own-CA.key (Override with `--cert` and `--key`).\n\nGenerate signed certificate:\n~~~shell\ngencert --cacert My-own-CA.pem example.com\n~~~\nDone!\n\n`--cacert` is required, `--cakey` is optional (omitted in example), gencert will look for CA private key in following order:\n- in`--cakey` PEM file (if given)\n- in `--cacert` PEM file (if will be found there). \n- guessed filename. If `--cacert` is CA.pem, gencert will try to load from CA.key.\n\n\nYou may verify certificate with showcert and openssl:\n~~~shell\n# verify with showcert (unless '-i' given, showcert expects a valid certificate)\n$ showcert --ca MyCA.pem example.com.pem\nNames: example.com\nnotBefore: 2024-01-26 11:30:24 (0 days old)\nnotAfter: 2025-01-25 11:30:24 (364 days left)\nIssuer: CN=MyCA\n\n# verify with openssl\n$ openssl verify -CAfile MyCA.pem example.com.pem \nexample.com.pem: OK\n~~~\n\n## Installation\n`pipx install showcert`\n\nOr right from repo: `pipx install git+https://github.com/yaroslaff/showcert` \n\nOr use old way via pip/pip3:\n- `pip3 install showcert` (just install)\n- `pip3 install -U showcert` (upgrade)\n- `pip3 install -U git+https://github.com/yaroslaff/showcert` (install/upgrade from git)\n",
"bugtrack_url": null,
"license": "MIT License\n \n Copyright (c) 2022 Yaroslav Polyakov\n \n Permission is hereby granted, free of charge, to any person obtaining a copy\n of this software and associated documentation files (the \"Software\"), to deal\n in the Software without restriction, including without limitation the rights\n to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n copies of the Software, and to permit persons to whom the Software is\n furnished to do so, subject to the following conditions:\n \n The above copyright notice and this permission notice shall be included in all\n copies or substantial portions of the Software.\n \n THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n SOFTWARE.",
"summary": "Simple OpenSSL for humans: all you need for X.509 TLS certificates (and nothing more)",
"version": "0.2.9",
"project_urls": {
"Homepage": "https://github.com/yaroslaff/showcert",
"Issues": "https://github.com/yaroslaff/showcert/issues"
},
"split_keywords": [
"ca",
" ssl",
" tls",
" x.509",
" x509",
" alternative",
" certificate",
" gencert",
" generate",
" local",
" openssl",
" remote",
" showcert",
" simple",
" verify"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "aa83fa82a205b6d97795871a598a839b297fb5dd67f029fffee360d9815e64e3",
"md5": "19f8e754ca2d206894e180088fa0554f",
"sha256": "26e91f6049d081cfd9a2d453e39fb4b647b7586434a290efb728a5e67332ab15"
},
"downloads": -1,
"filename": "showcert-0.2.9-py3-none-any.whl",
"has_sig": false,
"md5_digest": "19f8e754ca2d206894e180088fa0554f",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 13457,
"upload_time": "2024-11-21T17:31:16",
"upload_time_iso_8601": "2024-11-21T17:31:16.550796Z",
"url": "https://files.pythonhosted.org/packages/aa/83/fa82a205b6d97795871a598a839b297fb5dd67f029fffee360d9815e64e3/showcert-0.2.9-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "92d1088db6dde4188a26d1cf91108ebd768e344067a48365e2abe286cecd8b29",
"md5": "d8078a27ea9830f674232959a7054eef",
"sha256": "1298a0777b91b067baa3de8bc46ebe676317415e178216753093de19f39154b8"
},
"downloads": -1,
"filename": "showcert-0.2.9.tar.gz",
"has_sig": false,
"md5_digest": "d8078a27ea9830f674232959a7054eef",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 13752,
"upload_time": "2024-11-21T17:31:18",
"upload_time_iso_8601": "2024-11-21T17:31:18.483303Z",
"url": "https://files.pythonhosted.org/packages/92/d1/088db6dde4188a26d1cf91108ebd768e344067a48365e2abe286cecd8b29/showcert-0.2.9.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-11-21 17:31:18",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "yaroslaff",
"github_project": "showcert",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "showcert"
}
