Here’s a new tool I just open sourced: certdiff .
It’s a very simple bash script that solves an annoying problem for me. If I want to diff 2 certificate files, I can’t just run the diff tool. After all, certificates look like this.
-----BEGIN CERTIFICATE----- MIIFFDCCA/ygAwIBAgISAYYqv7v7f0f38l+hU0J5/iCwMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNjAyMTUwODQ4MDBaFw0x ... OxSCq8jsCMKYcRanY/CKgYkzENLMtKZnPkLTDfl8IbVGXgHxTMZmU3XoV+qdK9A0 ko99LNSWpHNKF2kEm/UXGVmfFfBovRCmejGZzjzS0VCtlO86oYcVKZYAOBMz21Eq UKiESWnXfaQbCnmcOB3P+LLRg8uIluQVozktJ6FIgsR3WXvV/qiP/tnjMX3BsOtW 4CPevXtyb/k= -----END CERTIFICATE-----
If you diff 2 of those similar files, it would just report a difference on every line – but you still don’t know which data is different.
Or in other words: if you’re renewing or reinstalling a certificate, are you sure your domain name, SANs, … are all the same? You can parse the certificates with openssl
and manually check them. Or, you can use certdiff.
$ certdiff cronweekly.com/cert.pem sysca.st/cert.pem subject= /CN=cronweekly.com | subject= /CN=sysca.st notBefore=Feb 15 08:48:00 2016 GMT | notBefore=Feb 15 09:11:00 2016 GMT notAfter=May 15 08:48:00 2016 GMT | notAfter=May 15 09:11:00 2016 GMT
This example compares the SSL certificates for cronweekly.com (the open source mailing list you should subscribe to) and syscast .
The result is much cleaner and just shows the differences of the actual certificate, not just its encoded result.
Certdiff is available as open source on github as mattiasgeniar/certdiff .