openssl s_client

Get RSA instead of ECDSA certificate

openssl s_client -connect example.com:443 -tls1_2 -sigalgs RSA+SHA256:RSA+SHA384:RSA+SHA512

Connect with alternative SNI

openssl s_client -connect <IP or domain>:443 -servername <SNI domain>

See also gnutls-cli.

Check server certificate details

# server certificate only, add -noout to hide PEM-encoded output
echo | openssl s_client -connect <IP or domain>:443 2>/dev/null | openssl x509 -text
# certificate chain (with compact text output for subject, issuer, algorithm and validity periods)
echo | openssl s_client -showcerts -connect <IP or domain>:443 2>/dev/null
# all certicate details in text, add -noout to hide PEM-encoded output
echo | openssl s_client -showcerts -connect <IP or domain>:443 2>/dev/null | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -text
 
# read a certificate bundle
# input format validation is stricter so don't use s_client output directly.
# last argument can be file or `file:<filename>` uri.
openssl storeutl -text -certs <filename>