cert-show

#!/bin/bash

help() {
   echo 'usage: cert-show (--type TYPE) (--der|--pem) (--help|certificate|--host host:port [--smtp|--postgres])'
   echo 'usage: cert-show certificate'
   echo 'usage: cert-show --help'
   echo
   echo '    print all kinds of certificates'
   echo
   echo '    the following extensions are automatically recognized:'
   echo
   echo '      p7b             -> pkcs7'
   echo '      pfx|p12         -> pkcs12'
   echo '      key             -> rsa private key'
   echo '      csr             -> certificate signing request'
   echo '      crl             -> certificate revocation list'
   echo '      cer|der|crt|pem -> certificates'
   echo
   echo '    you can force a type with `--type one_of_the_extensions_above`'
   echo
   echo '    TODO:'
   echo '    I am not sure: will openssl autorecognize formats?'
   echo '    you can force a format with `--der` or `--pem`'
   echo
   exit 1
}

[ "$1" == "--help" ] || [ "$1" == "" ] && help

if [ "$1" == "--host" ]; then
   [ "$2" == "" ] && help

   connection="$2"

   case "$3" in
      --smtp)     start_tls="-starttls smtp" ;;
      --postgres) start_tls="-starttls postgres" ;;
      "")         start_tls="" ;;
      *)          echo "ABORTING: don't know what to do with '$3'"; exit 1 ;;
   esac

   echo "" | \
   openssl s_client -showcerts -connect $connection $start_tls | \
   openssl x509 -inform pem -noout -text

else
   if [ "$1" == "--type" ]; then
     shift
     EXT="$1"
     shift
   fi

   if [ "$1" == "--der" ]; then
     shift
     FORMAT=der
   elif [ "$1" == "--pem" ]; then
     shift
     FORMAT=pem
   else
     : # noop
   fi

   CERT="$1"

   if [ "$EXT" == "" ]; then
     EXT=$( file_extension --lowercase "$CERT" )
   fi
   
   case "$EXT" in
      p7b)
            openssl pkcs7  -in "$CERT"
         ;;
      pfx|p12)
            openssl pkcs12 -in "$CERT" -nokeys
         ;;
      key)
            openssl rsa    -in "$CERT" -noout -text
         ;;
      csr)
            openssl req    -in "$CERT" -noout -text
         ;;
      crl)
            openssl crl    -in "$CERT" -noout -text
         ;;
      cer|der|crt|pem)
         if grep -q "BEGIN CERTIFICATE" "$CERT"; then
            # assume PEM format
            openssl x509   -in "$CERT" -noout -text -inform pem
         else
            # assume DER format
            openssl x509   -in "$CERT" -noout -text -inform der
         fi
         ;;
      *)
            openssl x509   -in "$CERT" -noout -text
         ;;
   esac
fi