-A,--noauth
Ignore authority warnings (expiration only)
--all
Enable all the possible optional checks at the maximum level
--all-local
Enable all the possible optional checks at the maximum level (without SSL-Labs)
--allow-empty-san
Allow certificates without Subject Alternative Names (SANs)
-C,--clientcert path
Use client certificate to authenticate
-c,--critical days
Minimum number of days a certificate has to be valid to issue a critical status. Can be a floating
point number, e.g., 0.5. Default: 15
--check-chain
The certificate chain cannot contain double or root certificates
--check-ciphers grade
Check the offered ciphers
--check-ciphers-warnings
Critical if nmap reports a warning for an offered cipher
--check-http-headers
Check the HTTP headers for best practices
--check-ssl-labs-warngrade
SSL Labs grade on which to warn
--clientpass phrase
Set passphrase for client certificate.
--configuration file
Read options from the specified file
--crl
Check revocation via CRL (requires --rootcert-file)
--curl-bin path
Path of the curl binary to be used
--custom-http-header string
Custom HTTP header sent when getting the cert example: 'X-Check-Ssl-Cert: Foobar=1'
--dane
Verify that valid DANE records exist (since OpenSSL 1.1.0)
--dane211
Verify that a valid DANE-TA(2) SPKI(1) SHA2-256(1) TLSA record exists
--dane301
Verify that a valid DANE-EE(3) Cert(0) SHA2-256(1) TLSA record exists
--dane302
Verify that a valid DANE-EE(3) Cert(0) SHA2-512(2) TLSA record exists
--dane311
Verify that a valid DANE-EE(3) SPKI(1) SHA2-256(1) TLSA record exists
--dane312
Verify that a valid DANE-EE(3) SPKI(1) SHA2-512(1) TLSA record exists
--date path
Path of the date binary to be used
-d,--debug
Produce debugging output (can be specified more than once)
--debug-cert
Store the retrieved certificates in the current directory
--debug-file file
Write the debug messages to file
--debug-headers
Store the retrieved HTLM headers in the headers.txt file
--debug-time
Write timing information in the debugging output
--default-format
Print the default output format and exit
--dig-bin path
Path of the dig binary to be used
--do-not-resolve
Do not check if the host can be resolved
--dtls
Use the DTLS protocol
--dtls1
Use the DTLS protocol 1.0
--dtls1_2
Use the DTLS protocol 1.2
-e,--email address
Pattern to match the email address contained in the certificate
--ecdsa
Signature algorithm selection: force ECDSA certificate
--element number
Check up to the N cert element from the beginning of the chain
--file-bin path
Path of the file binary to be used
--fingerprint hash
Pattern to match the fingerprint
--fingerprint-alg algorithm
Algorithm for fingerprint. Default sha1
--first-element-only
Verify just the first cert element, not the whole chain
--force-dconv-date
Force the usage of dconv for date computations
--force-perl-date
Force the usage of Perl for date computations
--format FORMAT
Format output template on success, for example: '%SHORTNAME% OK %CN% from %CA_ISSUER_MATCHED%'
List of possible variables:
- %CA_ISSUER_MATCHED%
- %CHECKEDNAMES%
- %CN%
- %DATE%
- %DAYS_VALID%
- %DYSPLAY_CN%
- %HOST%
- %OCSP_EXPIRES_IN_HOURS%
- %OPENSSL_COMMAND%
- %PORT%
- %SELFSIGNEDCERT%
- %SHORTNAME%
- %SIGALGO%
- %SSL_LABS_HOST_GRADE%
See --default-format for the default
--grep-bin path
Path of the grep binary to be used
-h,--help,-?
This help message
--http-headers-path path
The path to be used to fetch HTTP headers
--http-use-get
Use GET instead of HEAD (default) for the HTTP related checks
-i,--issuer issuer
Pattern to match the issuer of the certificate
--ignore-altnames
Ignore alternative names when matching pattern specified in -n (or the host name)
--ignore-connection-problems [state]
In case of connection problems returns OK or the optional state
--ignore-exp
Ignore expiration date
--ignore-http-headers
Ignore checks on HTTP headers with --all and --all-local
--ignore-host-cn
Do not complain if the CN does not match the host name
--ignore-incomplete-chain
Do not check chain integrity
--ignore-maximum-validity
Ignore the certificate maximum validity
--ignore-ocsp
Do not check revocation with OCSP
--ignore-ocsp-errors
Continue if the OCSP status cannot be checked
--ignore-ocsp-timeout
Ignore OCSP result when timeout occurs while checking
--ignore-sct
Do not check for signed certificate timestamps (SCT)
--ignore-sig-alg
Do not check if the certificate was signed with SHA1 or MD5
--ignore-ssl-labs-cache
Force a new check by SSL Labs (see -L)
--ignore-ssl-labs-errors
Ignore errors if SSL Labs is not accessible or times out
--ignore-tls-renegotiation
Ignore the TLS renegotiation check
--ignore-unexpected-eof
Ignore unclean TLS shutdowns
--inetprotoprotocol
Force IP version 4 or 6
--info
Print certificate information
--init-host-cache
Initialize the host cache
--issuer-cert-cache dir
Directory where to store issuer certificates cache
--jks-alias alias
Alias name of the Java KeyStore entry (requires --file)
-K,--clientkey path
Use client certificate key to authenticate
-L,--check-ssl-labsgrade
SSL Labs assessment (please check https://www.ssllabs.com/about/terms.html). Critical if the grade
is lower than specified.
--long-output list
Append the specified comma separated (no spaces) list of attributes to the plugin output on
additional lines. Valid attributes are: enddate, startdate, subject, issuer, modulus, serial,
hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes.
-m,--match name
Pattern to match the CN or AltName (can be specified multiple times)
--maximum-validity [days]
The maximum validity of the certificate must not exceed 'days' (default 397). This check is
automatic for HTTPS
--nmap-bin path
Path of the nmap binary to be used
--nmap-with-proxy
Allow nmap to be used with a proxy
--no-perf
Do not show performance data
--no-proxy
Ignore the http_proxy and https_proxy environment variables
--no-proxy-curl
Ignore the http_proxy and https_proxy environment variables for curl
--no-proxy-s_client
Ignore the http_proxy and https_proxy environment variables for openssl s_client
--no-ssl2
Disable SSL version 2
--no-ssl3
Disable SSL version 3
--no-tls1
Disable TLS version 1
--no-tls1_1
Disable TLS version 1.1
--no-tls1_3
Disable TLS version 1.3
--no-tls1_2
Disable TLS version 1.2
--not-issued-by issuer
Check that the issuer of the certificate does not match the given pattern
--not-valid-longer-than days
Critical if the certificate validity is longer than the specified period
-o,--org org
Pattern to match the organization of the certificate
--ocsp-critical hours
Minimum number of hours an OCSP response has to be valid to issue a critical status
--ocsp-warning hours
Minimum number of hours an OCSP response has to be valid to issue a warning status
--openssl path
Path of the openssl binary to be used
-p,--port port
TCP port (default 443)
--precision digits
Number of decimal places for durations: defaults to 0 if critical or warning are integers, 2
otherwise
-P,--protocol protocol
Use the specific protocol: dns, ftp, ftps, http, https (default), h2 (HTTP/2), h3 (HTTP/3), imap,
imaps, irc, ircs, ldap, ldaps, mqtts, mysql, pop3, pop3s, postgres, sieve, sips, smtp, smtps, tds,
xmpp, xmpp-server. ftp, imap, irc, ldap, pop3, postgres, sieve, smtp: switch to TLS using
StartTLS. These protocols switch to TLS using StartTLS: ftp, imap, irc, ldap, mysql, pop3, smtp.
--path path
Set the PATH variable to 'path'
--password source
Password source for a local certificate, see the PASS PHRASE ARGUMENTS section openssl(1)
--prometheus
Generate Prometheus/OpenMetrics output
--proxy proxy
Set http_proxy and the s_client -proxy option
--python-bin path
Path of the python binary to be used
--quic
Use QUIC
-q,--quiet
Do not produce any output
-r,--rootcert cert
Root certificate or directory to be used for certificate validation (passed to openssl's -CAfile
or -CApath)
--require-client-cert [list]
The server must accept a client certificate. 'list' is an optional comma separated list of
expected client certificate CAs
--require-dnssec
Require DNSSEC
--require-http-header header
Require the specified HTTP header (e.g., X-Frame-Options)
--require-no-http-header header
Require the absence of the specified HTTP header (e.g., X-Powered-By)
--require-no-ssl2
Critical if SSL version 2 is offered
--require-no-ssl3
Critical if SSL version 3 is offered
--require-no-tls1
Critical if TLS 1 is offered
--require-no-tls1_1
Critical if TLS 1.1 is offered
--require-ocsp-stapling
Require OCSP stapling
--require-purpose usage
Require the specified key usage (can be specified more then once)
--require-purpose-critical
The key usage must be critical
--require-security-header header
Require the specified HTTP security header (e.g., X-Frame-Options)
--require-security-headers
Require all the HTTP security headers:
Content-Security-Policy
Permissions-Policy
Referrer-Policy
strict-transport-security
X-Content-Type-Options
X-Frame-Options
--resolve ip
Provide a custom IP address for the specified host
--resolve-over-http [server]
Resolve the host over HTTP using Google or the specified server
--rootcert-dir dir
Root directory to be used for certificate validation (passed to openssl's -CApath) overrides
option -r,--rootcert
--rootcert-file cert
Root certificate to be used for certificate validation (passed to openssl's -CAfile) overrides
option -r,--rootcert
--rsa
Signature algorithm selection: force RSA certificate
--security-level number
Set the security level to specified value. See SSL_CTX_set_security_level(3) for a description of
what each level means
-s,--selfsigned
Allow self-signed certificates
--serial serialnum
Pattern to match the serial number
--skip-element number
Skip checks on the Nth cert element (can be specified multiple times)
--sni name
Set the TLS SNI (Server Name Indication) extension in the ClientHello message to 'name'
--ssl2
Force SSL version 2
--ssl3
Force SSL version 3
-t,--timeout seconds
Timeout after the specified time (defaults to 120 seconds)
--temp dir
Directory where to store the temporary files
--terse
Terse output (also see --verbose)
--tls1
Force TLS version 1
--tls1_1
Force TLS version 1.1
--tls1_2
Force TLS version 1.2
--tls1_3
Force TLS version 1.3
-u,--url URL
HTTP request URL
--user-agent string
User agent that shall be used for HTTPS connections
-v,--verbose
Verbose output (can be specified more than once)
-V,--version
Version
-w,--warning days
Minimum number of days a certificate has to be valid to issue a warning status. Might be a
floating point number, e.g., 0.5. Default: 20
--xmpphost name
Specify the host for the 'to' attribute of the stream element
-4 Force IPv4
-6 Force IPv6