certdiff

Tired of the privacy invasion of the Chrome webbrowser? Worried about the risk of seeing ads everywhere? Give the Brave Browser a try. It supports all the same Chrome extensions, with none of the telemetry. It auto-blocks ads and helps support content creators like me.

Give the Brave browser a try »

Profile image of Mattias Geniar

Mattias Geniar, March 28, 2016

Follow me on Twitter as @mattiasgeniar

Here’s a new tool I just open sourced: certdiff.

It’s a very simple bash script that solves an annoying problem for me. If I want to diff 2 certificate files, I can’t just run the diff tool. After all, certificates look like this.

-----BEGIN CERTIFICATE-----
MIIFFDCCA/ygAwIBAgISAYYqv7v7f0f38l+hU0J5/iCwMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNjAyMTUwODQ4MDBaFw0x
...
OxSCq8jsCMKYcRanY/CKgYkzENLMtKZnPkLTDfl8IbVGXgHxTMZmU3XoV+qdK9A0
ko99LNSWpHNKF2kEm/UXGVmfFfBovRCmejGZzjzS0VCtlO86oYcVKZYAOBMz21Eq
UKiESWnXfaQbCnmcOB3P+LLRg8uIluQVozktJ6FIgsR3WXvV/qiP/tnjMX3BsOtW
4CPevXtyb/k=
-----END CERTIFICATE-----

If you diff 2 of those similar files, it would just report a difference on every line – but you still don’t know which data is different.

Or in other words: if you’re renewing or reinstalling a certificate, are you sure your domain name, SANs, … are all the same? You can parse the certificates with openssl and manually check them. Or, you can use certdiff.

$ certdiff cronweekly.com/cert.pem sysca.st/cert.pem
subject= /CN=cronweekly.com           |  subject= /CN=sysca.st
notBefore=Feb 15 08:48:00 2016 GMT    |  notBefore=Feb 15 09:11:00 2016 GMT
notAfter=May 15 08:48:00 2016 GMT     |  notAfter=May 15 09:11:00 2016 GMT

This example compares the SSL certificates for cronweekly.com (the open source mailing list you should subscribe to) and syscast.

The result is much cleaner and just shows the differences of the actual certificate, not just its encoded result.

Certdiff is available as open source on github as mattiasgeniar/certdiff.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.