- How do I display the contents of a SSL certificate?
- Useful openssl commands to view certificate content
- View the content of CSR (Certificate Signing Request)
- View the content of CA certificate
- View the content of signed Certificate
- Conclusion
- How To Read The SSL Certificate Info From the CLI
- Read the SSL Certificate information from a text-file at the CLI
- Read the SSL Certificate information from a remote server
How do I display the contents of a SSL certificate?
You can display the contents of a PEM formatted certificate under Linux, using openssl:
$ openssl x509 -in acs.cdroutertest.com.pem -text The output of the above command should look something like this:
cdrouter@linux:/usr/cdrouter/tests> openssl x509 -in acs.cdroutertest.com.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 04:7a:f7:95:47:c0:7d:0f:ef:80:a5:b2:1f:51:e3:63 Signature Algorithm: sha256WithRSAEncryption Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA Validity Not Before: Mar 12 00:00:00 2018 GMT Not After : Mar 11 23:59:59 2020 GMT Subject: OU = Domain Control Validated, OU = PositiveSSL, CN = acs.cdroutertest.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:eb:fe:b5:1a:16:0d:49:3f:15:18:99:44:eb:63: ef:e4:7e:de:f7:91:2a:2f:3c:9d:43:57:62:52:92: 17:a6:48:0b:de:86:43:6b:77:5c:77:9d:05:6c:64: eb:96:fa:97:c8:f9:93:3e:72:3c:c4:84:f3:e2:98: 60:9c:17:92:bf:01:12:a3:20:69:19:16:39:1c:48: 0b:e0:db:e2:bc:d0:48:57:4d:a6:0d:1a:a1:3a:51: 25:b5:d9:1c:61:ba:34:b7:76:56:15:72:7e:69:eb: 07:0f:20:3e:f9:41:56:8b:1b:51:eb:55:cd:9c:61: a1:c8:a1:42:1f:6e:87:5e:a1:1b:68:11:e5:4e:66: 36:7c:4a:2c:23:e4:98:71:31:f7:0c:28:ee:1d:65: 99:1d:1f:40:1e:da:b5:a4:de:5b:6d:8d:c3:35:3b: 06:b4:5d:82:a6:61:27:29:25:ab:71:12:71:9c:0c: f6:68:c1:54:58:3a:1d:a1:ce:ea:10:a6:2d:e0:4a: f5:f4:45:b4:2d:25:37:f5:0e:b2:c3:03:1f:35:73: 59:46:36:6a:73:a2:2c:3f:70:c8:e4:26:49:a3:20: 8f:38:7c:55:d0:2e:f5:8a:24:00:7b:ce:36:8d:60: 5a:7b:c5:4b:66:cd:49:d0:e6:51:6d:b5:9e:a8:68: 06:79 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Subject Key Identifier: CC:31:0F:36:85:92:91:A8:0D:61:46:9E:9C:FE:9E:23:42:B9:D6:92 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS: https://secure.comodo.com/CPS Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com X509v3 Subject Alternative Name: DNS:acs.cdroutertest.com, DNS:www.acs.cdroutertest.com Signature Algorithm: sha256WithRSAEncryption 44:fd:29:96:b3:ca:c9:b6:10:5e:74:40:14:6a:a0:c4:41:21: 5b:16:0b:e2:13:eb:8a:25:19:5f:30:73:0f:2b:9e:68:7b:67: 3b:71:db:a3:72:91:52:db:02:8c:13:b3:fd:71:2e:4a:4c:d1: 02:6e:7e:1f:0e:0a:cf:bb:29:71:91:42:8a:e8:68:8f:a2:b4: d6:52:e4:f4:93:df:13:98:a4:58:e6:77:e4:78:86:ae:ad:73: b7:6d:43:25:dd:1f:92:c0:36:97:04:2a:87:40:87:16:16:c3: 79:13:10:a2:2e:a0:cb:27:0f:ee:c6:5a:1a:5b:55:5b:b7:9d: 20:12:7c:8b:0d:20:32:3e:8c:c1:5a:56:31:27:0e:fb:4c:d7: 7a:ad:c5:22:58:ad:97:c7:bd:75:14:bb:e7:58:f5:c8:f6:49: f8:43:68:13:2e:d4:3a:67:02:13:e8:35:50:05:df:d9:32:90: e1:c6:bb:b0:aa:52:fb:4f:1f:92:dd:d3:55:7a:28:67:91:be: c0:5c:b7:7b:74:37:0e:d8:69:36:f5:74:b9:a3:61:7c:29:31: 3e:8b:51:a2:df:fc:f4:dc:48:93:46:c9:b2:35:30:6c:48:66: 2a:6e:f5:6f:17:d7:2b:07:b4:c4:b9:67:65:67:1a:d8:76:80: 8f:ff:fd:ef -----BEGIN CERTIFICATE----- MIIFTjCCBDagAwIBAgIQBHr3lUfAfQ/vgKWyH1HjYzANBgkqhkiG9w0BAQsFADCB kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD QTAeFw0xODAzMTIwMDAwMDBaFw0yMDAzMTEyMzU5NTlaMFIxITAfBgNVBAsTGERv bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxFzAV BgNVBAMTDmFjcy5xYWNhZmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA6/61GhYNST8VGJlE62Pv5H7e95EqLzydQ1diUpIXpkgL3oZDa3dcd50F bGTrlvqXyPmTPnI8xITz4phgnBeSvwESoyBpGRY5HEgL4NvivNBIV02mDRqhOlEl tdkcYbo0t3ZWFXJ+aesHDyA++UFWixtR61XNnGGhyKFCH26HXqEbaBHlTmY2fEos I+SYcTH3DCjuHWWZHR9AHtq1pN5bbY3DNTsGtF2CpmEnKSWrcRJxnAz2aMFUWDod oc7qEKYt4Er19EW0LSU39Q6ywwMfNXNZRjZqc6IsP3DI5CZJoyCPOHxV0C71iiQA e842jWBae8VLZs1J0OZRbbWeqGgGeQIDAQABo4IB3zCCAdswHwYDVR0jBBgwFoAU kK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFMwxDzaFkpGoDWFGnpz+niNC udaSMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYI KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAEC ATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01P RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEF BQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NP TU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYB BQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAtBgNVHREEJjAkgg5hY3Mu cWFjYWZlLmNvbYISd3d3LmFjcy5xYWNhZmUuY29tMA0GCSqGSIb3DQEBCwUAA4IB AQBE/SmWs8rJthBedEAUaqDEQSFbFgviE+uKJRlfMHMPK55oe2c7cdujcpFS2wKM E7P9cS5KTNECbn4fDgrPuylxkUKK6GiPorTWUuT0k98TmKRY5nfkeIaurXO3bUMl 3R+SwDaXBCqHQIcWFsN5ExCiLqDLJw/uxloaW1Vbt50gEnyLDSAyPozBWlYxJw77 TNd6rcUiWK2Xx711FLvnWPXI9kn4Q2gTLtQ6ZwIT6DVQBd/ZMpDhxruwqlL7Tx+S 3dNVeihnkb7AXLd7dDcO2Gk29XS5o2F8KTE+i1Gi3/z03EiTRsmyNTBsSGYqbvVv F9crB7TEuWdlZxrYdoCP//3v -----END CERTIFICATE----- Likewise, you can display the contents of a DER formatted certificate using this command:
$ openssl x509 -in MYCERT.der -inform der -text Useful openssl commands to view certificate content
We generate a private key with des3 encryption using following command which will prompt for passphrase:
~]# openssl genrsa -des3 -out ca.key 4096 To view the content of this private key we will use following syntax:
~]# openssl rsa -noout -text -in
So in our case the command would be:
~]# openssl rsa -noout -text -in ca.key Sample output from my terminal (output is trimmed):
View the content of CSR (Certificate Signing Request)
We can use the following command to generate a CSR using the key we created in the previous example:
~]# openssl req -new -key ca.key -out client.csr Syntax to view the content of this CSR:
~]# openssl req -noout -text -in
Sample output from my terminal:
View the content of CA certificate
We can use our existing key to generate CA certificate, here ca.cert.pem is the CA certificate file:
~]# openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem To view the content of CA certificate we will use following syntax:
~]# openssl x509 -noout -text -in
Sample output from my terminal (output is trimmed):
View the content of signed Certificate
We can create a server or client certificate using following command using the key, CSR and CA certificate which we have created in this tutorial. Here server.crt is our final signed certificate
~]# openssl x509 -req -days 365 -in client.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out server.crt To view the content of similar certificate we can use following syntax:
~]# openssl x509 -noout -text -in
Sample output from my server (output is trimmed):
You can use the same command to view SAN (Subject Alternative Name) certificate as well.
Conclusion
In this tutorial we learned about openssl commands which can be used to view the content of different kinds of certificates. I have kept the tutorial short and crisp keeping to the point, you may check other articles on openssl in the left sidebar to understand how we can create different kinds of certificates using openssl.
Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud
If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.
For any other feedbacks or questions you can either use the comments section or contact me form.
Thank You for your support!!
How To Read The SSL Certificate Info From the CLI
This guide will show you how to read the SSL Certificate Information from a text-file on your server or from a remote server by connecting to it with the OpenSSL client.
Read the SSL Certificate information from a text-file at the CLI
If you have your certificate file available to you on the server, you can read the contents with the openssl client tools.
By default, your certificate will look like this.
$ cat certificate.crt -----BEGIN CERTIFICATE----- MIIEzTCCA7WgAwIBAgISESHAjlbjcoBHxBYXS12oY6VjMA0GCSqGSIb3DQEBCwUA . CzgXBhDR3themzPx4jwx2ckNFpNDK/6yQgrKaHTewAAj -----END CERTIFICATE-----
Which doesn’t really tell you much.
However, you can decrypt that certificate to a more readable form with the openssl tool.
$ openssl x509 -text -noout -in certificate.crt
It will display the SSL certificate output like expiration date, common name, issuer, …
Here’s what it looks like for my own certificate.
$ openssl x509 -text -noout -in certificate.crt Certificate: . Signature Algorithm: sha256WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 Validity Not Before: Dec 16 20:01:40 2014 GMT Not After : Dec 16 20:01:40 2017 GMT Subject: C=BE, OU=Domain Control Validated, CN=ma.ttias.be Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) .
The openssl tools are a must-have when working with certificates on your Linux server.
Read the SSL Certificate information from a remote server
You may want to monitor the validity of an SSL certificate from a remote server, without having the certificate.crt text file locally on your server? You can use the same openssl for that.
To connect to a remote host and retrieve the public key of the SSL certificate, use the following command.
$ openssl s_client -showcerts -connect ma.ttias.be:443
This will connect to the host ma.ttias.be on port 443 and show the certificate. It’s output looks like this.
$ openssl s_client -showcerts -connect ma.ttias.be:443 -----BEGIN CERTIFICATE----- MIIEzTCCA7WgAwIBAgISESHAjlbjcoBHxBYXS12oY6VjMA0GCSqGSIb3DQEBCwUA . CzgXBhDR3themzPx4jwx2ckNFpNDK/6yQgrKaHTewAAj -----END CERTIFICATE----- --- Server certificate subject=/C=BE/OU=Domain Control Validated/CN=ma.ttias.be issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 ---
There’s many more output, like the intermediate CA certificates, the raw certificates (encoded) and more information on the ciphers used to negotiate with the remote server.
You can use it to find the expiration date, to test for SSL connection errors, …