Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Multi platform
Device management   (+ MDM) Orchestration   (+ monitoring) Software management   (+ CVEs) Integrations

Docs
Stories
News Ask around Share your story COMPANY
The handbook What people are saying

Pricing Schedule a demo
Multi platform
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
News Ask around Schedule a demo Share your story COMPANY The handbook What people are saying
Pricing Try it yourself
Queries/
Discover TLS certificates

Discover TLS certificates

Contributor's GitHub profile picture

Nabil Schear

Retrieves metadata about TLS certificates for servers listening on the local machine. Enables mTLS adoption analysis and cert expiration notifications.

To learn more about queries, check this guide.

Query PowerShellNEW BashNEW
SELECT * FROM curl_certificate WHERE hostname IN (SELECT DISTINCT 'localhost:'||port FROM listening_ports WHERE protocol=6 AND address!='127.0.0.1' AND address!='::1');
function Get-CurlCertificate {
    param(
        [string]$hostname,
        [int]$port
    )
    try {
        $tcpClient = New-Object System.Net.Sockets.TcpClient
        $tcpClient.Connect($hostname, $port)
        $networkStream = $tcpClient.GetStream()
        $sslStream = New-Object System.Net.Security.SslStream($networkStream, $false, { return $true })
        $sslStream.ReadTimeout = 5000
        $sslStream.WriteTimeout = 5000
        $sslStream.AuthenticateAsClient($hostname)
        $remoteCert = $sslStream.RemoteCertificate
        if ($remoteCert) {
            $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $remoteCert
            [PSCustomObject]@{
                Hostname   = "$hostname`:$port"
                Subject    = $cert.Subject
                Issuer     = $cert.Issuer
                NotBefore  = $cert.NotBefore
                NotAfter   = $cert.NotAfter
                Thumbprint = $cert.Thumbprint
            }
        }
        else {
            [PSCustomObject]@{
                Hostname   = "$hostname`:$port"
                Error      = "No certificate returned"
            }
        }
        $sslStream.Close()
        $tcpClient.Close()
    }
    catch {
        [PSCustomObject]@{
            Hostname = "$hostname`:$port"
            Error    = "Failed to retrieve certificate - $_"
        }
    }
}

# Get distinct TCP listening ports where local address is not 127.0.0.1 or ::1
$ports = Get-NetTCPConnection -State Listen -Protocol TCP |
    Where-Object { $_.LocalAddress -ne "127.0.0.1" -and $_.LocalAddress -ne "::1" } |
    Select-Object -ExpandProperty LocalPort -Unique

foreach ($port in $ports) {
    # Use "localhost" as the hostname to match the pattern "localhost:port"
    $result = Get-CurlCertificate -hostname "localhost" -port $port
    $result
}
echo "Hostname,Subject,Issuer"; netstat -an | grep LISTEN | grep -v '127.0.0.1' | grep -v '::1' | awk '{print $4}' | sed -E 's/.*\.//' | sort -u | while read port; do cert=$(echo | openssl s_client -connect localhost:$port -servername localhost 2>/dev/null | openssl x509 -noout -subject -issuer 2>/dev/null); subject=$(echo "$cert" | grep '^subject=' | sed 's/subject=//'); issuer=$(echo "$cert" | grep '^issuer=' | sed 's/issuer=//'); echo "localhost:$port,$subject,$issuer"; done
An icon indicating that this section has important information

PowerShell commands are currently work in progress, contributions welcome.

An icon indicating that this section has important information

Bash commands for macOS are currently work in progress, contributions welcome.

Platform

macOSApple

WindowsWindows

LinuxLinux

ChromeOSChromeOS

Suggest an editEdit Talk to an engineerTalk to us
Fleet logo
Multi platform Device management Orchestration Software management Integrations Pricing
Documentation Support Docs API Release notes Get your license
Company About News Jobs Logos/artwork Why open source?
ISO 27001 coming soon a small checkmarkSOC2 Type 2 Creative Commons Licence CC BY-SA 4.0
© 2025 Fleet Inc. Privacy
Slack logo GitHub logo LinkedIn logo X (Twitter) logo Youtube logo Mastadon logo
Tried Fleet yet?

Get started with Fleet

Start
continue
×