To view and parse a certificate with openssl, run the following command with the openssl x509 utility:
openssl x509 -in example.com.crt -text -noout
Where x509
is a certificate utility, -in example.com.crt
is the certificate to view, -text
means to print the full details of the certificate in text form, and -noout
means to not print out the encoded certificate.
The format of the certificate may also be specified using the -inform
flag. The supported types are pem and der.
For this example, we’ve downloaded the installed TLS server certificate from https://example.com. Here is the output:
openssl x509 -in example.com.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0f:d0:78:dd:48:f1:a2:bd:4d:0f:2b:a9:6b:60:38:fe
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
Validity
Not Before: Nov 28 00:00:00 2018 GMT
Not After : Dec 2 12:00:00 2020 GMT
Subject: C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d0:f0:12:74:a0:96:20:72:08:65:19:12:5a:5d:
4a:d0:3a:8c:66:8f:a0:29:2b:a7:db:d5:ac:0c:cf:
a5:71:92:15:42:15:b0:07:92:76:31:75:d7:27:8e:
4d:50:6a:75:d1:7b:53:5e:27:aa:ed:eb:a4:60:3a:
f2:8e:45:18:6b:45:33:5c:85:11:aa:20:12:fe:60:
ac:9d:4c:45:8f:dd:d3:0e:3e:77:0f:09:c2:85:65:
34:c7:22:fb:74:13:b9:42:9f:f7:21:f6:f0:9c:44:
74:6d:c9:df:b3:1f:8f:60:b7:71:11:06:90:63:41:
9d:8f:34:7b:24:49:46:ac:f2:f0:8d:0b:48:f4:d3:
92:1a:f7:a2:45:ee:cc:e5:d7:83:7f:2e:82:bd:71:
dd:28:19:58:33:6e:11:a1:3a:a0:6a:72:60:92:01:
59:9f:63:17:7a:49:42:7b:9c:3f:db:d3:05:e8:cc:
87:7e:f8:aa:fc:9d:d1:05:50:ab:75:b1:1e:ba:20:
cb:89:d4:6d:6c:37:82:28:4c:c5:3f:7c:c1:10:f5:
a0:a5:66:6b:53:53:c9:db:ed:85:c3:6d:05:f8:64:
a7:c9:0e:eb:8f:e1:c4:b1:eb:2d:68:0e:15:3f:e5:
e2:dc:fc:21:64:2d:ee:69:2b:04:78:db:77:65:cb:
54:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2
X509v3 Subject Key Identifier:
66:98:62:02:E0:09:91:A7:D9:E3:36:FB:76:C6:B0:BF:A1:6D:A7:BE
X509v3 Subject Alternative Name:
DNS:www.example.org, DNS:example.com, DNS:example.edu, DNS:example.net, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/ssca-sha2-g6.crl
Full Name:
URI:http://crl4.digicert.com/ssca-sha2-g6.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Policy: 2.23.140.1.2.2
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
Timestamp : Nov 28 21:20:12.614 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:84:64:81:B7:21:1D:FA:1A:48:F5:76:
AE:4B:E8:46:86:57:27:17:B0:7B:E9:3B:B7:4A:57:42:
6C:A2:84:C4:6C:02:21:00:BB:93:B5:FE:30:C4:64:E4:
16:4C:7C:6E:58:53:57:EE:EC:7F:AA:45:4F:BF:0E:46:
8E:FE:70:FD:FD:8E:42:42
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 87:75:BF:E7:59:7C:F8:8C:43:99:5F:BD:F3:6E:FF:56:
8D:47:56:36:FF:4A:B5:60:C1:B4:EA:FF:5E:A0:83:0F
Timestamp : Nov 28 21:20:12.821 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:6F:AA:77:D2:1C:A7:94:C0:63:2D:2E:B3:
86:DD:41:8B:40:8A:1A:2F:7F:AE:66:C1:93:5F:73:1F:
48:93:50:11:02:21:00:D2:F9:9D:48:86:05:1E:A0:97:
44:25:0B:3C:EA:CE:FA:2B:19:7C:81:FF:27:7B:9E:DB:
58:B6:DC:E8:F0:4A:4E
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
Timestamp : Nov 28 21:20:12.956 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:E4:79:FB:43:84:8E:CA:A1:E4:4F:E9:
03:B0:7A:BB:92:EE:F3:44:3B:8C:EC:FE:14:0D:7D:9F:
B7:63:29:9F:2D:02:20:4D:77:5A:DC:49:01:4A:F4:68:
04:85:61:9F:D7:8D:20:0C:31:FA:C1:D3:F4:71:0A:5B:
D6:56:CB:3D:2C:72:8C
Signature Algorithm: sha256WithRSAEncryption
73:70:85:ef:40:41:a7:6a:43:d5:78:9c:7b:55:48:e6:bc:6b:
99:86:ba:fb:0d:03:8b:78:fe:11:f0:29:a0:0c:cd:69:14:0b:
c6:04:78:b2:ce:f0:87:d5:01:9d:c4:59:7a:71:fe:f0:6e:9e:
c1:a0:b0:91:2d:1f:ea:3d:55:c5:33:05:0c:cd:c1:35:18:b0:
6a:68:66:4c:bf:56:21:da:5b:d9:48:b9:8c:35:21:91:5d:dc:
75:d7:7a:46:2c:22:27:a6:6f:d3:3a:17:eb:be:bd:13:c5:12:
26:73:c0:5d:a3:35:89:6a:fb:27:d4:dd:aa:74:74:2e:37:e5:
01:3b:a6:d0:30:b0:83:d0:a1:c4:75:21:85:b2:e5:fa:67:00:
30:a2:bc:53:83:4d:bf:d6:a8:83:bb:bc:d6:ed:1c:b3:1e:f1:
58:03:82:00:8e:9c:ef:90:f2:1a:5f:a2:a3:06:da:5d:be:9f:
da:5d:a6:e6:2f:de:58:80:18:d3:f1:62:7b:a6:a3:9f:ae:a8:
69:72:63:81:65:ae:82:83:a3:b5:97:8a:9b:20:51:ff:1a:3f:
61:40:1e:48:d0:6b:38:f9:e1:fa:17:d8:77:4a:88:e6:3d:36:
24:4f:ef:0a:b9:9f:70:f3:83:27:f8:cf:2a:05:75:10:a1:8a:
0a:80:88:cd
Certificate output breakdown:
Using openssl to view the certificate, you can see the certificate is an X509v3 certificate as specified in RFC5280.
Version
– Version 3, the latest X509 version.
Serial Number
– The serial number of the certificate in hexadecimal representation.
Signature Algorithm
– The signature algorithm used to sign the certificate. In this case, sha256WithRSAEncryption
.
Issuer
– The issuer DN (Distinguished Name), in this case Digicert.
Validity
– The valid period of the certificate, including Not Before
and Not After
. Any date before or after these dates will resolve to an invalid or expired certifiate.
Subject
– The subject value contains the DN of the certificate, including the Country, State, Location (City), Organization, Organizational Unit, and CN (Common Name).
Subject Public Key Info
– The Subject Public Key Info contains the public key of the certificate and its algorithm and key size.
X509v3 extensions
– The X509v3 extensions are used for additional ways to identify the certificate with a user or organization and manage the relationship with its issuing CA (Certificate Authority)
X509v3 Authority Key Identifier
– The Authority Key Identifier stands as a pointer to the public key of the issuing certificate.
X509v3 Subject Key Identifier
– The Subject Key Identifier is an identifier derived from the public key of the certificate (for end-entity certificates, such as this one).
X509v3 Subject Alternative Name
– The Subject Alternative Name allows the certificate to bind additional FQDNs (Fully Qualified Doman Name) to the certificate in the case of a TLS server certificate.
X509v3 Key Usage: critical
– The key usage specifies what the certificate is being used for. In this case, both Digital Signature and Key Encipherment are set. The Digital Signature bit means the certificate can be used to verify a digital signature such as on a document or authentication. The Key Encipherment bit is set when the public key is used to encrypt a secret key, such as being used in TLS.
X509v3 Extended Key Usage
– The Extended Key Usage describes the intended use of the certificate public key, in addition to what is already described in the Key Usage. For example, end-entity TLS server certificates set both TLS Web Server Authentication and TLS Web Client Authentication, and must not be used for any other purpose.
X509v3 CRL Distribution Points
– CRL Distribution Points identify where CRL information can be obtained.
X509v3 Certificate Policies
– Certificate Policies are represented by an OID (Object Identifier) that explains what the certificate is being used for. It is common for a CA to use this extension for their CP (Certificate Policy) and CPS (Certificate Practice Statement).
Authority Information Access
– Authority Information Access identifies where authority information (issuing CA) and services (i.e. OCSP (Online Certificate Status Protocol)) can be obtained.
X509v3 Basic Constraints
– Basic Constraints determines whether or not the certificate is a CA certificate.
CT Precertificate SCTs
– CT Precertificate SCTs are the timestamps when the certificate was sent to a CT (Certificate Transparency) log.
Using openssl to view only specific certificate properties:
openssl allows you to view certificate properties one by one, rather than having to parse through the entire certificate to find the details of interest.
To view only the serial number
Output the serial number in hexadecimal.
openssl x509 -in example.com.crt -noout -serial
To view only the public key
Output the public key in PEM format.
openssl x509 -in example.com.crt -noout -pubkey
To view only the modulus
Output the modulus of the public key.
openssl x509 -in example.com.crt -noout -modulus
To view only the subject hash
Output the subject hash, used as an index by openssl to be looked up by subject name.
openssl x509 -in example.com.crt -noout -subject_hash
To view only the issuer hash
Outputs the issuer hash.
openssl x509 -in example.com.crt -noout -issuer_hash
To view only the OCSP hash
Output the OCSP hash.
openssl x509 -in example.com.crt -noout -ocspid
To view only the subject
Output the full subject DN.
openssl x509 -in example.com.crt -noout -subject
To view only the issuer
Output the full issuer DN.
openssl x509 -in example.com.crt -noout -issuer
To view the start date, end date, or both
Output validity period dates.
openssl x509 -in example.com.crt -noout -startdate
openssl x509 -in example.com.crt -noout -enddate
openssl x509 -in example.com.crt -noout -dates
To view only the certificate fingerprint
Output the certificate fingerprint. The fingerprint guarantees the uniqueness of the certificate.
openssl x509 -in example.com.crt -noout -fingerprint
Leave a Reply