Содержание
How can I check if the certificate file I have is in .pem format?
I have a root cert file and I don’t know whether or not it is in .pem format. How do I check if it is in .pem format?
7 Answers 7
Quote from the support page:
View ==== Even though PEM encoded certificates are ASCII they are not human readable. Here are some commands that will let you output the contents of a certificate in human readable form; View PEM encoded certificate ---------------------------- Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate openssl x509 -in cert.pem -text -noout openssl x509 -in cert.cer -text -noout openssl x509 -in cert.crt -text -noout If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate below” unable to load certificate 12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE View DER encoded Certificate View DER encoded Certificate ---------------------------- openssl x509 -in certificate.der -inform der -text -noout If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above unable to load certificate 13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509 How to view the contents of a .pem certificate?
I am using Java keytool . I have exported a self-signed .pem certificate from my keystore. Is there a command to view the certificate details directly from the .pem file (not of the certificate in the keystore)?
3 Answers 3
An alternative to using keytool , you can use the command
openssl x509 -in certificate.pem -text This should work for any x509 .pem file provided you have openssl installed.
Actually, keytool errored out with java.lang.Exception: Failed to parse input for some pems, but this worked for all of them
In my case I had to change «x509» with «rsa» so I guess it depends on the .pem contents. I used file command to know that it was «rsa» and not «x509» (e.g. file xyz.pem ).
@megatux a PEM file can contain a few different types of data x509 is the format for certificates, rsa is the format for a public/private key pair.
For shorter text-output try: openssl x509 -in certificate.pem -text -noout — This will omit the last ~ 40 lines of text from the output ( BEGIN CERTIFICATE . END CERTIFICATE stuff)
Use the -printcert command like this:
keytool -printcert -file certificate.pem @Maximilian it may happen on APNS certificates, which combines private key & certificate into one .pem . Separate them into 2 files using text editor and the above command will work. (Hint: copy — BEGIN CERTIFICATE — line to — END CERTIFICATE — line to new file)
How do I display the contents of a SSL certificate?
You can display the contents of a PEM formatted certificate under Linux, using openssl:
$ openssl x509 -in acs.cdroutertest.com.pem -text The output of the above command should look something like this:
cdrouter@linux:/usr/cdrouter/tests> openssl x509 -in acs.cdroutertest.com.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 04:7a:f7:95:47:c0:7d:0f:ef:80:a5:b2:1f:51:e3:63 Signature Algorithm: sha256WithRSAEncryption Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA Validity Not Before: Mar 12 00:00:00 2018 GMT Not After : Mar 11 23:59:59 2020 GMT Subject: OU = Domain Control Validated, OU = PositiveSSL, CN = acs.cdroutertest.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:eb:fe:b5:1a:16:0d:49:3f:15:18:99:44:eb:63: ef:e4:7e:de:f7:91:2a:2f:3c:9d:43:57:62:52:92: 17:a6:48:0b:de:86:43:6b:77:5c:77:9d:05:6c:64: eb:96:fa:97:c8:f9:93:3e:72:3c:c4:84:f3:e2:98: 60:9c:17:92:bf:01:12:a3:20:69:19:16:39:1c:48: 0b:e0:db:e2:bc:d0:48:57:4d:a6:0d:1a:a1:3a:51: 25:b5:d9:1c:61:ba:34:b7:76:56:15:72:7e:69:eb: 07:0f:20:3e:f9:41:56:8b:1b:51:eb:55:cd:9c:61: a1:c8:a1:42:1f:6e:87:5e:a1:1b:68:11:e5:4e:66: 36:7c:4a:2c:23:e4:98:71:31:f7:0c:28:ee:1d:65: 99:1d:1f:40:1e:da:b5:a4:de:5b:6d:8d:c3:35:3b: 06:b4:5d:82:a6:61:27:29:25:ab:71:12:71:9c:0c: f6:68:c1:54:58:3a:1d:a1:ce:ea:10:a6:2d:e0:4a: f5:f4:45:b4:2d:25:37:f5:0e:b2:c3:03:1f:35:73: 59:46:36:6a:73:a2:2c:3f:70:c8:e4:26:49:a3:20: 8f:38:7c:55:d0:2e:f5:8a:24:00:7b:ce:36:8d:60: 5a:7b:c5:4b:66:cd:49:d0:e6:51:6d:b5:9e:a8:68: 06:79 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Subject Key Identifier: CC:31:0F:36:85:92:91:A8:0D:61:46:9E:9C:FE:9E:23:42:B9:D6:92 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS: https://secure.comodo.com/CPS Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com X509v3 Subject Alternative Name: DNS:acs.cdroutertest.com, DNS:www.acs.cdroutertest.com Signature Algorithm: sha256WithRSAEncryption 44:fd:29:96:b3:ca:c9:b6:10:5e:74:40:14:6a:a0:c4:41:21: 5b:16:0b:e2:13:eb:8a:25:19:5f:30:73:0f:2b:9e:68:7b:67: 3b:71:db:a3:72:91:52:db:02:8c:13:b3:fd:71:2e:4a:4c:d1: 02:6e:7e:1f:0e:0a:cf:bb:29:71:91:42:8a:e8:68:8f:a2:b4: d6:52:e4:f4:93:df:13:98:a4:58:e6:77:e4:78:86:ae:ad:73: b7:6d:43:25:dd:1f:92:c0:36:97:04:2a:87:40:87:16:16:c3: 79:13:10:a2:2e:a0:cb:27:0f:ee:c6:5a:1a:5b:55:5b:b7:9d: 20:12:7c:8b:0d:20:32:3e:8c:c1:5a:56:31:27:0e:fb:4c:d7: 7a:ad:c5:22:58:ad:97:c7:bd:75:14:bb:e7:58:f5:c8:f6:49: f8:43:68:13:2e:d4:3a:67:02:13:e8:35:50:05:df:d9:32:90: e1:c6:bb:b0:aa:52:fb:4f:1f:92:dd:d3:55:7a:28:67:91:be: c0:5c:b7:7b:74:37:0e:d8:69:36:f5:74:b9:a3:61:7c:29:31: 3e:8b:51:a2:df:fc:f4:dc:48:93:46:c9:b2:35:30:6c:48:66: 2a:6e:f5:6f:17:d7:2b:07:b4:c4:b9:67:65:67:1a:d8:76:80: 8f:ff:fd:ef -----BEGIN CERTIFICATE----- MIIFTjCCBDagAwIBAgIQBHr3lUfAfQ/vgKWyH1HjYzANBgkqhkiG9w0BAQsFADCB kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD QTAeFw0xODAzMTIwMDAwMDBaFw0yMDAzMTEyMzU5NTlaMFIxITAfBgNVBAsTGERv bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxFzAV BgNVBAMTDmFjcy5xYWNhZmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA6/61GhYNST8VGJlE62Pv5H7e95EqLzydQ1diUpIXpkgL3oZDa3dcd50F bGTrlvqXyPmTPnI8xITz4phgnBeSvwESoyBpGRY5HEgL4NvivNBIV02mDRqhOlEl tdkcYbo0t3ZWFXJ+aesHDyA++UFWixtR61XNnGGhyKFCH26HXqEbaBHlTmY2fEos I+SYcTH3DCjuHWWZHR9AHtq1pN5bbY3DNTsGtF2CpmEnKSWrcRJxnAz2aMFUWDod oc7qEKYt4Er19EW0LSU39Q6ywwMfNXNZRjZqc6IsP3DI5CZJoyCPOHxV0C71iiQA e842jWBae8VLZs1J0OZRbbWeqGgGeQIDAQABo4IB3zCCAdswHwYDVR0jBBgwFoAU kK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFMwxDzaFkpGoDWFGnpz+niNC udaSMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYI KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAEC ATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01P RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEF BQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NP TU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYB BQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAtBgNVHREEJjAkgg5hY3Mu cWFjYWZlLmNvbYISd3d3LmFjcy5xYWNhZmUuY29tMA0GCSqGSIb3DQEBCwUAA4IB AQBE/SmWs8rJthBedEAUaqDEQSFbFgviE+uKJRlfMHMPK55oe2c7cdujcpFS2wKM E7P9cS5KTNECbn4fDgrPuylxkUKK6GiPorTWUuT0k98TmKRY5nfkeIaurXO3bUMl 3R+SwDaXBCqHQIcWFsN5ExCiLqDLJw/uxloaW1Vbt50gEnyLDSAyPozBWlYxJw77 TNd6rcUiWK2Xx711FLvnWPXI9kn4Q2gTLtQ6ZwIT6DVQBd/ZMpDhxruwqlL7Tx+S 3dNVeihnkb7AXLd7dDcO2Gk29XS5o2F8KTE+i1Gi3/z03EiTRsmyNTBsSGYqbvVv F9crB7TEuWdlZxrYdoCP//3v -----END CERTIFICATE----- Likewise, you can display the contents of a DER formatted certificate using this command:
$ openssl x509 -in MYCERT.der -inform der -text