Command-line tool to help you
check & validate SSL / TLS certificate chains
FireDaemon Inspektor is a simple command-line utility designed to help you validate SSL / TLS certificate chains.
Why would you want such a utility?
In recent years, browsers have become much stricter in regard to handling SSL / TLS certificates. For example, all major browsers will warn or even block access to sites where the SSL / TLS certificate is expired, self-signed, or revoked. Similarly, access may be blocked if the certificate chain of trust (e.g. root CA or intermediate certificates) is incorrect, certificates in the chain of trust are missing or have been revoked. Hence, it's important to be able to audit the validity of certificates, certificate chains and test whether certificates have been revoked.
Installing FireDaemon Inspektor SSL / TLS Certificate Validator
Unpack the ZIP file to a temporary location
Copy the contents of the x64 folder found in the ZIP file to a directory of your choice (e.g. C:\Program Files\FireDaemon Inspektor)
Install the Microsoft Windows Visual C++ Runtime found in the prerequisites folder found in the ZIP file by double-clicking on the file vc_redist.x64.exe
Open an elevated command prompt and change directory to the installation directory (e.g. cd \Program Files\FireDaemon Inspektor)
Using FireDaemon Inspektor SSL / TLS Certificate Validator
Type SSLClient at the command prompt to see the command-line options per the screenshot below.
Checking A Certificate Chain
Use the SSLClient connect <url>:<port> syntax to check a certificate chain. Multiple <url>:<port> arguments can be supplied to check multiple certificates at once. For example:
Checking Certificate Revocation
You can also use the --crl-check option to check for the presence of a certificate revocation list URI. If none is presented you will get a certificate verification error. For example, the firedaemon.com certificate does not contain a revocation list URI:d certificates via ssl.com.
Whilst the microsoft.com certificate does contain a certificate revocation list URI:
You can test FireDaemon Inspektor with valid, expired, and revoked certificates via ssl.com.