OpenSSL : voir les détails d’un certificat sur un serveur web distant

J’avais déjà indiqué comment voir les détails d’un certificat SSL local avec openssl. Maintenant, voici comment voir la même chose, mais sur un serveur distant, en se connectant en HTTPS.

openssl s_client -connect palc.fr:443 | openssl x509 -noout -text

Connecting to 2001:41d0:304:300::105f
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E6
verify return:1
depth=0 CN=palc.fr
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            06:81:95:54:f9:7f:75:06:d4:d8:33:af:7b:c6:72:52:79:35
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=Let's Encrypt, CN=E6
        Validity
            Not Before: Apr 27 15:22:18 2025 GMT
            Not After : Jul 26 15:22:17 2025 GMT
        Subject: CN=palc.fr
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:f0:20:99:98:aa:f7:0a:8b:65:9e:de:d9:e4:ce:
                    ec:e3:e4:bf:dd:13:22:cb:cc:93:d9:c1:0f:4e:f6:
                    f9:50:4f:d2:d8:53:af:6c:7e:6c:2b:96:38:2b:a2:
                    b9:56:80:56:5f:9f:0b:77:52:44:25:12:49:1c:c3:
                    bf:d2:8d:79:7d
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                25:43:F3:D5:8B:77:9F:9B:01:B8:5E:46:71:21:AD:50:2A:95:65:A5
            X509v3 Authority Key Identifier: 
                93:27:46:98:03:A9:51:68:8E:98:D6:C4:42:48:DB:23:BF:58:94:D2
            Authority Information Access: 
                OCSP - URI:http://e6.o.lencr.org
                CA Issuers - URI:http://e6.i.lencr.org/
            X509v3 Subject Alternative Name: 
                DNS:palc.fr, DNS:www.palc.fr
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://e6.c.lencr.org/54.crl

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 0D:E1:F2:30:2B:D3:0D:C1:40:62:12:09:EA:55:2E:FC:
                                47:74:7C:B1:D7:E9:30:EF:0E:42:1E:B4:7E:4E:AA:34
                    Timestamp : Apr 27 16:20:48.706 2025 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:46:B4:2F:2C:BC:AA:D1:D1:A1:48:05:0E:
                                5C:FC:81:50:C9:31:21:83:54:62:7B:73:FD:1C:DC:67:
                                E6:CE:E3:7E:02:20:61:BE:E7:46:C3:80:33:93:C2:D3:
                                16:B4:92:2E:1C:2D:CB:AA:6B:B3:21:73:8A:74:AF:96:
                                6A:BF:C5:78:24:44
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : AF:18:1A:28:D6:8C:A3:E0:A9:8A:4C:9C:67:AB:09:F8:
                                BB:BC:22:BA:AE:BC:B1:38:A3:A1:9D:D3:F9:B6:03:0D
                    Timestamp : Apr 27 16:20:49.352 2025 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:76:31:88:0E:57:D3:E3:22:ED:2F:74:BE:
                                41:4A:4D:4A:09:8A:74:CA:EF:4F:FC:8E:48:E0:87:69:
                                F3:07:F5:EC:02:21:00:D2:5B:76:D5:E8:A3:15:EB:05:
                                67:47:A1:CC:5C:5F:CA:55:56:9C:05:FC:19:93:A7:5D:
                                1B:CE:C8:59:12:39:29
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:66:02:31:00:b0:5b:28:b3:2b:f9:e7:75:a2:28:10:be:1a:
        3f:f4:ff:42:70:62:e3:51:dd:72:38:52:49:c3:42:ea:fd:ec:
        0f:ce:71:56:ae:4a:1a:34:d4:ac:04:30:c3:23:ba:00:d7:02:
        31:00:c6:6c:ac:e2:01:91:fb:67:b5:c4:27:ff:cf:81:aa:ca:
        ea:4e:a3:1c:9f:4d:f0:74:d6:c2:ae:8e:b6:c2:cc:5e:b2:12:
        a9:35:b0:20:59:82:c6:0f:4b:3c:dc:29:f1:97

Il est possible de requêter un autre serveur que celui sur lequel pointe le DNS. Dans ce cas, il faut faire :

openssl s_client -connect 193.70.74.238:443 -servername palc.fr | openssl x509 -noout -text

Note : Cette commande ne rends la main que quand le serveur coupe la connexion. Il est toujours possible de l’interrompre avec Ctrl+C.