#!/bin/bash
issuers=$(echo \
	| openssl s_client -servername "$1" -connect "$1:443" -showcerts 2>/dev/null \
	| grep -E '^  *i:' \
	| sed 's/^ *i:/issuer= /')

echo "$issuers" | while read -r issuer; do
	cn=$(echo "$issuer" | sed 's/.*\(CN\|OU\) *= *//')
	echo "==> For issuer $cn"

	for f in /etc/ca-certificates/trust-source/blocklist/*.pem; do
		[ -f "$f" ] || continue;
		i=$(openssl x509 -noout -issuer < "$f" 2>/dev/null)
		fcn=$(echo "$i" | sed 's/.*\(CN\|OU\) *= *//')
		#echo "'$cn' vs '$fcn'"
		if [[ "$cn" = "$fcn" ]]; then
			echo "   -> Blocklist match on $(basename "${f%.pem}")"
			echo "  $issuer"
			echo "  $i"
			break
		fi
	done
done