I would like to be able to determine if a remote domain’s TLS/SSL certificate is ‘trusted’ from the command line.

Here is an openssl example I was playing with a few weeks back, here I use openssl to acquire the certificate and then pipe it to openssl’s ‘verify’ command. I assumed that the ‘verify’ command would verify the certificate, however, how I understand it now is that the ‘verify’ command just verifies the certificate chain (I think). (cdn.pubnub.com is just a domain I found from a quick Twitter search as an example to use)

echo "GET /" | openssl s_client -connect cdn.pubnub.com:443 | openssl x509 -text | openssl verify

As you can see from the cdn.pubnub.com domain (at the time of writing), the browser (Chrome at least) does not trust the certificate (because the certificate domain doesn’t match), however, the openssl ‘verify’ command does not output ‘trusted’ or ‘not trusted’ or something else we can deduct that information from.

Another way I thought of doing this, is by using a headless browser (such as PhantomJS) and parsing any errors they return. It turns out that PhantomJS just errors but does not give any details, so this can not be used as the error could have been caused by something else.

I didn’t think it would be this hard to find out that a certificate was trusted or not from the command line, without having to parse and check all the data that makes a certificate trusted myself which I don’t think would be wise.

Is there a library or some other way I can tell if a remote domain’s certificate is trusted from the command line?