NAME

SYNOPSIS

DESCRIPTION

ARGUMENTS

-f,--file file

local file path or URI. With -f you can not only pass a x509 certificate file but also a certificate revocation list (CRL) to check the validity period

-H,--host host

server

OPTIONS

-A,--noauth

ignore authority warnings (expiration only)

--all

enables all the possible optional checks at the maximum level

--all-local

enables all the possible optional checks at the maximum level (without SSL-Labs)

--allow-empty-san

allow certificates without Subject Alternative Names (SANs)

-C,--clientcert path

use client certificate to authenticate

-c,--critical days

minimum number of days a certificate has to be valid to issue a critical status. Can be a floating point number, e.g., 0.5. Default: 15

--check-ciphers grade

checks the offered ciphers

--check-ciphers-warnings

critical if nmap reports a warning for an offered cipher

--check-ssl-labs-warn grade

SSL Labs grade on which to warn

--clientpass phrase

set passphrase for client certificate.

--crl

checks revocation via CRL (requires --rootcert-file)

--curl-bin path

path of the curl binary to be used

--curl-user-agent string

user agent that curl shall use to obtain the issuer cert

--custom-http-header string

custom HTTP header sent when getting the cert example: 'X-Check-Ssl-Cert: Foobar=1'

-d,--debug

produces debugging output (can be specified more than once)

--dane

verify that valid DANE records exist (since OpenSSL 1.1.0)

--dane 211

verify that a valid DANE-TA(2) SPKI(1) SHA2-256(1) TLSA record exists

--dane 301

verify that a valid DANE-EE(3) Cert(0) SHA2-256(1) TLSA record exists

--dane 302

verify that a valid DANE-EE(3) Cert(0) SHA2-512(2) TLSA record exists

--dane 311

verify that a valid DANE-EE(3) SPKI(1) SHA2-256(1) TLSA record exists

--dane 312

--date path

path of the date binary to be used

--debug-cert

stores the retrieved certificates in the current directory

--debug-file file

writes the debug messages to file

--debug-time

writes timing information in the debugging output

--dig-bin path

path of the dig binary to be used

-e,--email address

pattern to match the email address contained in the certificate

--ecdsa

signature algorithm selection: force ECDSA certificate

--element number

checks up to the N cert element from the beginning of the chain

--file-bin path

path of the file binary to be used

--fingerprint SHA1

pattern to match the SHA1-Fingerprint

--first-element-only

verify just the first cert element, not the whole chain

--force-dconv-date

force the usage of dconv for date computations

--force-perl-date

force the usage of Perl for date computations

--format FORMAT

format output template on success, for example: '%SHORTNAME% OK %CN% from %CA_ISSUER_MATCHED%'
list of possible variables:
- %HOST%
- %PORT%
- %CA_ISSUER_MATCHED%
- %CHECKEDNAMES%
- %CN%
- %DATE%
- %DAYS_VALID%
- %DYSPLAY_CN%
- %OPENSSL_COMMAND%
- %SELFSIGNEDCERT%
- %SHORTNAME%
- %OCSP_EXPIRES_IN_HOURS%
- %SSL_LABS_HOST_GRADE%

-h,--help,-?

this help message

--http-use-get

use GET instead of HEAD (default) for the HTTP related checks

-i,--issuer issuer

pattern to match the issuer of the certificate

--ignore-altnames

ignores alternative names when matching pattern specified in -n (or the host name)

--ignore-connection-problems [state]

in case of connection problems returns OK or the optional state

--ignore-exp

ignore expiration date

--ignore-host-cn

do not complain if the CN does not match the host name

--ignore-incomplete-chain

does not check chain integrity

--ignore-ocsp

do not check revocation with OCSP

--ignore-ocsp-errors

continue if the OCSP status cannot be checked

--ignore-ocsp-timeout

ignore OCSP result when timeout occurs while checking

--ignore-sct

do not check for signed certificate timestamps (SCT)

--ignore-sig-alg

do not check if the certificate was signed with SHA1 or MD5

--ignore-ssl-labs-cache

Forces a new check by SSL Labs (see -L)

--ignore-tls-renegotiation

Ignores the TLS renegotiation check

--inetproto protocol

Force IP version 4 or 6

--info

Prints certificate information

--issuer-cert-cache dir

directory where to store issuer certificates cache

-K,--clientkey path

use client certificate key to authenticate

-L,--check-ssl-labs grade

SSL Labs assessment (please check https://www.ssllabs.com/about/terms.html). Critical if the grade is lower than specified.

--long-output list

append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines. Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes.

-m,--match name

pattern to match the CN or AltName (can be specified multiple times)

--nmap-bin path

path of the nmap binary to be used

--no-perf

do not show performance data

--no-proxy

ignores the http_proxy and https_proxy environment variables

--no-proxy-curl

ignores the http_proxy and https_proxy environment variables for curl

--no-proxy-s_client

ignores the http_proxy and https_proxy environment variables for openssl s_client

--no-ssl2

disable SSL version 2

--no-ssl3

disable SSL version 3

--no-tls1

disable TLS version 1

--no-tls1_1

disable TLS version 1.1

--no-tls1_3

disable TLS version 1.3

--no-tls1_2

disable TLS version 1.2

--not-issued-by issuer

check that the issuer of the certificate does not match the given pattern

--not-valid-longer-than days

critical if the certificate validity is longer than the specified period

-o,--org org

pattern to match the organization of the certificate

--ocsp-critical hours

minimum number of hours an OCSP response has to be valid to issue a critical status

--ocsp-warning hours

minimum number of hours an OCSP response has to be valid to issue a warning status

--openssl path

path of the openssl binary to be used

-p,--port port

TCP port

--precision digits

number of decimal places for durations: defaults to 0 if critical or warning are integers, 2 otherwise

-P,--protocol protocol

use the specific protocol: ftp, ftps, http, https (default), h2 (HTTP/2), imap, imaps, irc, ircs, ldap, ldaps, mysql, pop3, pop3s, postgres, sieve, smtp, smtps, xmpp, xmpp-server, ftp, imap, irc, ldap, pop3, postgres, sieve, smtp: switch to TLS using StartTLS.
These protocols switch to TLS using StartTLS: ftp, imap, irc, ldap, mysql, pop3, smtp.

--password source

password source for a local certificate, see the PASS PHRASE ARGUMENTS section openssl(1)

--prometheus

generates Prometheus/OpenMetrics output

--proxy proxy

sets http_proxy and the s_client -proxy option

-q,--quiet

do not produce any output

-r,--rootcert cert

root certificate or directory to be used for certificate validation (passed to openssl's -CAfile or -CApath)

--require-client-cert [list]

the server must accept a client certificate. 'list' is an optional comma separated list of expected client certificate CAs

--require-no-ssl2

critical if SSL version 2 is offered

--require-no-ssl3

critical if SSL version 3 is offered

--require-no-tls1

critical if TLS 1 is offered

--require-no-tls1_1

critical if TLS 1.1 is offered

--require-ocsp-stapling

require OCSP stapling

--resolve ip

provides a custom IP address for the specified host

--rootcert-dir dir

root directory to be used for certificate validation (passed to openssl's -CApath) overrides option -r,--rootcert

--rootcert-file cert

root certificate to be used for certificate validation (passed to openssl's -CAfile) overrides option -r,--rootcert

--rsa

signature algorithm selection: force RSA certificate

-s,--selfsigned

allows self-signed certificates

--serial serialnum

pattern to match the serial number

--skip-element number

skips checks on the Nth cert element (can be specified multiple times)

--sni name

sets the TLS SNI (Server Name Indication) extension in the ClientHello message to 'name'

--ssl2

force SSL version 2

--ssl3

force SSL version 3

-t,--timeout

seconds timeout after the specified time (defaults to 120 seconds)

--temp dir

directory where to store the temporary files

--terse

terse output (also see --verbose)

--tls1

force TLS version 1

--tls1_1

force TLS version 1.1

--tls1_2

force TLS version 1.2

--tls1_3

force TLS version 1.3

-u,--url URL

HTTP request URL

-v,--verbose

verbose output (can be specified more than once)

-V,--version

version

-w,--warning days

minimum number of days a certificate has to be valid to issue a warning status. Might be a floating point number, e.g., 0.5. Default: 20

--xmpphost name

specifies the host for the 'to' attribute of the stream element

-4

force IPv4

-6

force IPv6

DEPRECATED OPTIONS

--altnames

matches the pattern specified in -n with alternate names too (enabled by default)

-d,--days days

minimum number of days a certificate has to be valid (see --critical and --warning)

-n,--cn name

pattern to match the CN or AltName (can be specified multiple times)

-N,--host-cn

match CN with the host name (enabled by default)

--no_ssl2

disable SSLv2 (deprecated use --no-ssl2)

--no_ssl3

disable SSLv3 (deprecated use --no-ssl3)

--no_tls1

disable TLSv1 (deprecated use --no-tls1)

--no_tls1_1

disable TLSv1.1 (deprecated use --no-tls1_1)

--no_tls1_2

disable TLSv1.1 (deprecated use --no-tls1_2)

--no_tls1_3

disable TLSv1.1 (deprecated use --no-tls1_3)

--ocsp

check revocation via OCSP (enabled by default)

--require-san

require the presence of a Subject Alternative Name extension

-S,--ssl version

force SSL version (2,3) (see: --ssl2 or --ssl3)

NOTES

EXIT STATUS

BUGS

EXAMPLE

SEE ALSO