I built a cli tool called 'dcert' after repeatedly debugging TLS related issues where existing tools only answered part of the question or they tool me a lot of time to type all the options and flags.
Typical failures looked like:
- Certificate looks valid, but the handshake still fails
- TLS version or cipher mismatch that is not obvious from logs
- mTLS behaviour that depends on the server, not the client
Slow connections where it is unclear whether TCP, TLS or HTTPS is the bottleneck.
dcert is a small Rust CLI that either parses PEM files or connects directly to an HTTPS endpoint or against a base64 PEM file and shows:
- Full TLS certificate chain details and expiry
- Negotiated TLS version and cipher
- Validates hostname and its common name and alternative SAN validations
- Whether the server requests client certificates
- Separate latency measurements for TCP connect and TLS plus HTTP
It supports JSON output for CI or scripting, can export TLS certificate chains and works well for quick checks during incidents.
GitHub Repository and examples: https://github.com/SCGIS-Wales/dcert
Feedback welcome, especially from people who debug TLS regularly.