step certificate inspect

NAME

step certificate inspect – print certificate or CSR details in human readable format

USAGE

step certificate inspect crt_file [–bundle] [–format=format] [–roots=root-bundle]

DESCRIPTION

step certificate inspect prints the details of a certificate or CSR in a human readable format. Output from the inspect command is printed to STDERR instead of STDOUT unless. This is an intentional barrier to accidental misuse: scripts should never rely on the contents of an unvalidated certificate. For scripting purposes, use step certificate verify.

If crt_file contains multiple certificates (i.e., it is a certificate “bundle”) the first certificate in the bundle will be output. Pass the –bundle option to print all certificates in the order in which they appear in the bundle.

POSITIONAL ARGUMENTS

crt_file
Path to a certificate or certificate signing request (CSR) to inspect. A hyphen (“-“) indicates STDIN as crt_file.

OPTIONS

–format=format
The output format for printing the introspection details.

format is a string and must be one of:

text
Print output in unstructured text suitable for a human to read.
json
Print output in JSON format.
–roots=roots
Root certificate(s) that will be used to verify the authenticity of the remote server.

roots is a case-sensitive string and may be one of:

file
Relative or full path to a file. All certificates in the file will be used for path validation.
list of files
Comma-separated list of relative or full file paths. Every PEM encoded certificate from each file will be used for path validation.
directory
Relative or full path to a directory. Every PEM encoded certificate from each file in the directory will be used for path validation.
–bundle=value
Print all certificates in the order in which they appear in the bundle. If the output format is ‘json’ then output a list of certificates, even if the bundle only contains one certificate. This flag will result in an error if the input bundle includes any PEM that does not have type CERTIFICATE.
–insecure=value
Use an insecure client to retrieve a remote peer certificate. Useful for debugging invalid certificates remotely.

EXIT CODES

This command returns 0 on success and >0 if any error occurs.

EXAMPLES

Inspect a local certificate (default to text format):

$ step certificate inspect ./certificate.crt

Inspect a local certificate bundle (default to text format):

$ step certificate inspect ./certificate-bundle.crt --bundle

Inspect a local certificate in json format:

$ step certificate inspect ./certificate.crt --format json

Inspect a local certificate bundle in json format:

$ step certificate inspect ./certificate.crt --format json --bundle

Inspect a remote certificate (using the default root certificate bundle to verify the server):

$ step certificate inspect https://smallstep.com

Inspect an invalid remote certificate:

$ step certificate inspect --insecure https://expired.badssl.com

Inspect a remote certificate chain (using the default root certificate bundle to verify the server):

$ step certificate inspect https://google.com --bundle

Inspect a remote certificate using a custom root certificate to verify the server:

$ step certificate inspect https://smallstep.com --roots ./root-ca.crt

Inspect a remote certificate using a custom list of root certificates to verify the server:

$ step certificate inspect https://smallstep.com \
--roots "./root-ca.crt,./root-ca2.crt,/root-ca3.crt"

Inspect a remote certificate using a custom directory of root certificates to verify the server:

$ step certificate inspect https://smallstep.com \
--roots "./path/to/root/certificates/"

Inspect a remote certificate chain in json format using a custom directory of root certificates to verify the server:

$ step certificate inspect https://google.com --format json \
--roots "./path/to/root/certificates/" --bundle

Inspect a local CSR in text format (default):

$ step certificate inspect foo.csr

Inspect a local CSR in json:

$ step certificate inspect foo.csr --format json