• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

All things PKI, HTTPS, SSL, TLS, Digital Certificates

  • Buy SSL Certificates
  • Blog
  • Java Keytool
  • OpenSSL
  • Certificate Decoder
  • Donate

openssl view certificate

March 21, 2020 by Mister PKI Leave a Comment

To view and parse a certificate with openssl, run the following command with the openssl x509 utility:

openssl x509 -in example.com.crt -text -noout

Where x509 is a certificate utility, -in example.com.crt is the certificate to view, -text means to print the full details of the certificate in text form, and -noout means to not print out the encoded certificate.

For this example, we’ve downloaded the installed TLS server certificate from https://example.com. Here is the output:

openssl x509 -in example.com.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0f:d0:78:dd:48:f1:a2:bd:4d:0f:2b:a9:6b:60:38:fe
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
        Validity
            Not Before: Nov 28 00:00:00 2018 GMT
            Not After : Dec  2 12:00:00 2020 GMT
        Subject: C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d0:f0:12:74:a0:96:20:72:08:65:19:12:5a:5d:
                    4a:d0:3a:8c:66:8f:a0:29:2b:a7:db:d5:ac:0c:cf:
                    a5:71:92:15:42:15:b0:07:92:76:31:75:d7:27:8e:
                    4d:50:6a:75:d1:7b:53:5e:27:aa:ed:eb:a4:60:3a:
                    f2:8e:45:18:6b:45:33:5c:85:11:aa:20:12:fe:60:
                    ac:9d:4c:45:8f:dd:d3:0e:3e:77:0f:09:c2:85:65:
                    34:c7:22:fb:74:13:b9:42:9f:f7:21:f6:f0:9c:44:
                    74:6d:c9:df:b3:1f:8f:60:b7:71:11:06:90:63:41:
                    9d:8f:34:7b:24:49:46:ac:f2:f0:8d:0b:48:f4:d3:
                    92:1a:f7:a2:45:ee:cc:e5:d7:83:7f:2e:82:bd:71:
                    dd:28:19:58:33:6e:11:a1:3a:a0:6a:72:60:92:01:
                    59:9f:63:17:7a:49:42:7b:9c:3f:db:d3:05:e8:cc:
                    87:7e:f8:aa:fc:9d:d1:05:50:ab:75:b1:1e:ba:20:
                    cb:89:d4:6d:6c:37:82:28:4c:c5:3f:7c:c1:10:f5:
                    a0:a5:66:6b:53:53:c9:db:ed:85:c3:6d:05:f8:64:
                    a7:c9:0e:eb:8f:e1:c4:b1:eb:2d:68:0e:15:3f:e5:
                    e2:dc:fc:21:64:2d:ee:69:2b:04:78:db:77:65:cb:
                    54:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2

            X509v3 Subject Key Identifier: 
                66:98:62:02:E0:09:91:A7:D9:E3:36:FB:76:C6:B0:BF:A1:6D:A7:BE
            X509v3 Subject Alternative Name: 
                DNS:www.example.org, DNS:example.com, DNS:example.edu, DNS:example.net, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl3.digicert.com/ssca-sha2-g6.crl

                Full Name:
                  URI:http://crl4.digicert.com/ssca-sha2-g6.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114412.1.1
                  CPS: https://www.digicert.com/CPS
                Policy: 2.23.140.1.2.2

            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
                                3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
                    Timestamp : Nov 28 21:20:12.614 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:84:64:81:B7:21:1D:FA:1A:48:F5:76:
                                AE:4B:E8:46:86:57:27:17:B0:7B:E9:3B:B7:4A:57:42:
                                6C:A2:84:C4:6C:02:21:00:BB:93:B5:FE:30:C4:64:E4:
                                16:4C:7C:6E:58:53:57:EE:EC:7F:AA:45:4F:BF:0E:46:
                                8E:FE:70:FD:FD:8E:42:42
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 87:75:BF:E7:59:7C:F8:8C:43:99:5F:BD:F3:6E:FF:56:
                                8D:47:56:36:FF:4A:B5:60:C1:B4:EA:FF:5E:A0:83:0F
                    Timestamp : Nov 28 21:20:12.821 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:6F:AA:77:D2:1C:A7:94:C0:63:2D:2E:B3:
                                86:DD:41:8B:40:8A:1A:2F:7F:AE:66:C1:93:5F:73:1F:
                                48:93:50:11:02:21:00:D2:F9:9D:48:86:05:1E:A0:97:
                                44:25:0B:3C:EA:CE:FA:2B:19:7C:81:FF:27:7B:9E:DB:
                                58:B6:DC:E8:F0:4A:4E
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
                                15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
                    Timestamp : Nov 28 21:20:12.956 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:E4:79:FB:43:84:8E:CA:A1:E4:4F:E9:
                                03:B0:7A:BB:92:EE:F3:44:3B:8C:EC:FE:14:0D:7D:9F:
                                B7:63:29:9F:2D:02:20:4D:77:5A:DC:49:01:4A:F4:68:
                                04:85:61:9F:D7:8D:20:0C:31:FA:C1:D3:F4:71:0A:5B:
                                D6:56:CB:3D:2C:72:8C
    Signature Algorithm: sha256WithRSAEncryption
         73:70:85:ef:40:41:a7:6a:43:d5:78:9c:7b:55:48:e6:bc:6b:
         99:86:ba:fb:0d:03:8b:78:fe:11:f0:29:a0:0c:cd:69:14:0b:
         c6:04:78:b2:ce:f0:87:d5:01:9d:c4:59:7a:71:fe:f0:6e:9e:
         c1:a0:b0:91:2d:1f:ea:3d:55:c5:33:05:0c:cd:c1:35:18:b0:
         6a:68:66:4c:bf:56:21:da:5b:d9:48:b9:8c:35:21:91:5d:dc:
         75:d7:7a:46:2c:22:27:a6:6f:d3:3a:17:eb:be:bd:13:c5:12:
         26:73:c0:5d:a3:35:89:6a:fb:27:d4:dd:aa:74:74:2e:37:e5:
         01:3b:a6:d0:30:b0:83:d0:a1:c4:75:21:85:b2:e5:fa:67:00:
         30:a2:bc:53:83:4d:bf:d6:a8:83:bb:bc:d6:ed:1c:b3:1e:f1:
         58:03:82:00:8e:9c:ef:90:f2:1a:5f:a2:a3:06:da:5d:be:9f:
         da:5d:a6:e6:2f:de:58:80:18:d3:f1:62:7b:a6:a3:9f:ae:a8:
         69:72:63:81:65:ae:82:83:a3:b5:97:8a:9b:20:51:ff:1a:3f:
         61:40:1e:48:d0:6b:38:f9:e1:fa:17:d8:77:4a:88:e6:3d:36:
         24:4f:ef:0a:b9:9f:70:f3:83:27:f8:cf:2a:05:75:10:a1:8a:
         0a:80:88:cd

Certificate output breakdown:

Using openssl to view the certificate, you can see the certificate is an X509v3 certificate as specified in RFC5280.

Version – Version 3, the latest X509 version.

Serial Number – The serial number of the certificate in hexadecimal representation.

Signature Algorithm – The signature algorithm used to sign the certificate. In this case, sha256WithRSAEncryption.

Issuer – The issuer DN (Distinguished Name), in this case Digicert.

Validity – The valid period of the certificate, including Not Before and Not After. Any date before or after these dates will resolve to an invalid or expired certifiate.

Subject – The subject value contains the DN of the certificate, including the Country, State, Location (City), Organization, Organizational Unit, and CN (Common Name).

Subject Public Key Info – The Subject Public Key Info contains the public key of the certificate and its algorithm and key size.

X509v3 extensions – The X509v3 extensions are used for additional ways to identify the certificate with a user or organization and manage the relationship with its issuing CA (Certificate Authority)

X509v3 Authority Key Identifier – The Authority Key Identifier stands as a pointer to the public key of the issuing certificate.

X509v3 Subject Key Identifier – The Subject Key Identifier is an identifier derived from the public key of the certificate (for end-entity certificates, such as this one).

X509v3 Subject Alternative Name – The Subject Alternative Name allows the certificate to bind additional FQDNs (Fully Qualified Doman Name) to the certificate in the case of a TLS server certificate.

X509v3 Key Usage: critical – The key usage specifies what the certificate is being used for. In this case, both Digital Signature and Key Encipherment are set. The Digital Signature bit means the certificate can be used to verify a digital signature such as on a document or authentication. The Key Encipherment bit is set when the public key is used to encrypt a secret key, such as being used in TLS.

X509v3 Extended Key Usage – The Extended Key Usage describes the intended use of the certificate public key, in addition to what is already described in the Key Usage. For example, end-entity TLS server certificates set both TLS Web Server Authentication and TLS Web Client Authentication, and must not be used for any other purpose.

X509v3 CRL Distribution Points – CRL Distribution Points identify where CRL information can be obtained.

X509v3 Certificate Policies – Certificate Policies are represented by an OID (Object Identifier) that explains what the certificate is being used for. It is common for a CA to use this extension for their CP (Certificate Policy) and CPS (Certificate Practice Statement).

Authority Information Access – Authority Information Access identifies where authority information (issuing CA) and services (i.e. OCSP (Online Certificate Status Protocol)) can be obtained.

X509v3 Basic Constraints – Basic Constraints determines whether or not the certificate is a CA certificate.

CT Precertificate SCTs – CT Precertificate SCTs are the timestamps when the certificate was sent to a CT (Certificate Transparency) log.

Using openssl to view only specific certificate properties:

openssl allows you to view certificate properties one by one, rather than having to parse through the entire certificate to find the details of interest.

To view only the serial number

Output the serial number in hexadecimal.

openssl x509 -in example.com.crt -noout -serial

To view only the public key

Output the public key in PEM format.

openssl x509 -in example.com.crt -noout -pubkey

To view only the modulus

Output the modulus of the public key.

openssl x509 -in example.com.crt -noout -modulus

To view only the subject hash

Output the subject hash, used as an index by openssl to be looked up by subject name.

openssl x509 -in example.com.crt -noout -subject_hash

To view only the issuer hash

Outputs the issuer hash.

openssl x509 -in example.com.crt -noout -issuer_hash

To view only the OCSP hash

Output the OCSP hash.

openssl x509 -in example.com.crt -noout -ocspid

To view only the subject

Output the full subject DN.

openssl x509 -in example.com.crt -noout -subject

To view only the issuer

Output the full issuer DN.

openssl x509 -in example.com.crt -noout -issuer

To view the start date, end date, or both

Output validity period dates.

openssl x509 -in example.com.crt -noout -startdate

openssl x509 -in example.com.crt -noout -enddate

openssl x509 -in example.com.crt -noout -dates

To view only the certificate fingerprint

Output the certificate fingerprint. The fingerprint guarantees the uniqueness of the certificate.

openssl x509 -in example.com.crt -noout -fingerprint

openssl view certificate

Read more of our content.

Uncategorized

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Buy SSL Certificates

SSL/TLS Certificate Small Square (200 x 200)

Recent Posts

  • PKCS7
  • PKCS8 (PKCS #8)
  • keytool delete alias – How to delete an alias from a keystore
  • keytool alias -changealias – How to change a private key alias
  • SSL Certificate Expiration and SSL Certificate Renewal

Footer

  • Twitter
  • YouTube

Copyright © 2021 ยท Designed by North Flow Tech