Просмотр сертификатов linux openssl

How do I display the contents of a SSL certificate?

You can display the contents of a PEM formatted certificate under Linux, using openssl:

$ openssl x509 -in acs.cdroutertest.com.pem -text 

The output of the above command should look something like this:

cdrouter@linux:/usr/cdrouter/tests> openssl x509 -in acs.cdroutertest.com.pem -text Certificate:  Data:  Version: 3 (0x2)  Serial Number:  04:7a:f7:95:47:c0:7d:0f:ef:80:a5:b2:1f:51:e3:63  Signature Algorithm: sha256WithRSAEncryption  Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA  Validity  Not Before: Mar 12 00:00:00 2018 GMT  Not After : Mar 11 23:59:59 2020 GMT  Subject: OU = Domain Control Validated, OU = PositiveSSL, CN = acs.cdroutertest.com  Subject Public Key Info:  Public Key Algorithm: rsaEncryption  Public-Key: (2048 bit)  Modulus:  00:eb:fe:b5:1a:16:0d:49:3f:15:18:99:44:eb:63:  ef:e4:7e:de:f7:91:2a:2f:3c:9d:43:57:62:52:92:  17:a6:48:0b:de:86:43:6b:77:5c:77:9d:05:6c:64:  eb:96:fa:97:c8:f9:93:3e:72:3c:c4:84:f3:e2:98:  60:9c:17:92:bf:01:12:a3:20:69:19:16:39:1c:48:  0b:e0:db:e2:bc:d0:48:57:4d:a6:0d:1a:a1:3a:51:  25:b5:d9:1c:61:ba:34:b7:76:56:15:72:7e:69:eb:  07:0f:20:3e:f9:41:56:8b:1b:51:eb:55:cd:9c:61:  a1:c8:a1:42:1f:6e:87:5e:a1:1b:68:11:e5:4e:66:  36:7c:4a:2c:23:e4:98:71:31:f7:0c:28:ee:1d:65:  99:1d:1f:40:1e:da:b5:a4:de:5b:6d:8d:c3:35:3b:  06:b4:5d:82:a6:61:27:29:25:ab:71:12:71:9c:0c:  f6:68:c1:54:58:3a:1d:a1:ce:ea:10:a6:2d:e0:4a:  f5:f4:45:b4:2d:25:37:f5:0e:b2:c3:03:1f:35:73:  59:46:36:6a:73:a2:2c:3f:70:c8:e4:26:49:a3:20:  8f:38:7c:55:d0:2e:f5:8a:24:00:7b:ce:36:8d:60:  5a:7b:c5:4b:66:cd:49:d0:e6:51:6d:b5:9e:a8:68:  06:79  Exponent: 65537 (0x10001)  X509v3 extensions:  X509v3 Authority Key Identifier:  keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7   X509v3 Subject Key Identifier:  CC:31:0F:36:85:92:91:A8:0D:61:46:9E:9C:FE:9E:23:42:B9:D6:92  X509v3 Key Usage: critical  Digital Signature, Key Encipherment  X509v3 Basic Constraints: critical  CA:FALSE  X509v3 Extended Key Usage:  TLS Web Server Authentication, TLS Web Client Authentication  X509v3 Certificate Policies:  Policy: 1.3.6.1.4.1.6449.1.2.2.7  CPS: https://secure.comodo.com/CPS  Policy: 2.23.140.1.2.1   X509v3 CRL Distribution Points:   Full Name:  URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl   Authority Information Access:  CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt  OCSP - URI:http://ocsp.comodoca.com   X509v3 Subject Alternative Name:  DNS:acs.cdroutertest.com, DNS:www.acs.cdroutertest.com  Signature Algorithm: sha256WithRSAEncryption  44:fd:29:96:b3:ca:c9:b6:10:5e:74:40:14:6a:a0:c4:41:21:  5b:16:0b:e2:13:eb:8a:25:19:5f:30:73:0f:2b:9e:68:7b:67:  3b:71:db:a3:72:91:52:db:02:8c:13:b3:fd:71:2e:4a:4c:d1:  02:6e:7e:1f:0e:0a:cf:bb:29:71:91:42:8a:e8:68:8f:a2:b4:  d6:52:e4:f4:93:df:13:98:a4:58:e6:77:e4:78:86:ae:ad:73:  b7:6d:43:25:dd:1f:92:c0:36:97:04:2a:87:40:87:16:16:c3:  79:13:10:a2:2e:a0:cb:27:0f:ee:c6:5a:1a:5b:55:5b:b7:9d:  20:12:7c:8b:0d:20:32:3e:8c:c1:5a:56:31:27:0e:fb:4c:d7:  7a:ad:c5:22:58:ad:97:c7:bd:75:14:bb:e7:58:f5:c8:f6:49:  f8:43:68:13:2e:d4:3a:67:02:13:e8:35:50:05:df:d9:32:90:  e1:c6:bb:b0:aa:52:fb:4f:1f:92:dd:d3:55:7a:28:67:91:be:  c0:5c:b7:7b:74:37:0e:d8:69:36:f5:74:b9:a3:61:7c:29:31:  3e:8b:51:a2:df:fc:f4:dc:48:93:46:c9:b2:35:30:6c:48:66:  2a:6e:f5:6f:17:d7:2b:07:b4:c4:b9:67:65:67:1a:d8:76:80:  8f:ff:fd:ef -----BEGIN CERTIFICATE----- MIIFTjCCBDagAwIBAgIQBHr3lUfAfQ/vgKWyH1HjYzANBgkqhkiG9w0BAQsFADCB kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD QTAeFw0xODAzMTIwMDAwMDBaFw0yMDAzMTEyMzU5NTlaMFIxITAfBgNVBAsTGERv bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxFzAV BgNVBAMTDmFjcy5xYWNhZmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA6/61GhYNST8VGJlE62Pv5H7e95EqLzydQ1diUpIXpkgL3oZDa3dcd50F bGTrlvqXyPmTPnI8xITz4phgnBeSvwESoyBpGRY5HEgL4NvivNBIV02mDRqhOlEl tdkcYbo0t3ZWFXJ+aesHDyA++UFWixtR61XNnGGhyKFCH26HXqEbaBHlTmY2fEos I+SYcTH3DCjuHWWZHR9AHtq1pN5bbY3DNTsGtF2CpmEnKSWrcRJxnAz2aMFUWDod oc7qEKYt4Er19EW0LSU39Q6ywwMfNXNZRjZqc6IsP3DI5CZJoyCPOHxV0C71iiQA e842jWBae8VLZs1J0OZRbbWeqGgGeQIDAQABo4IB3zCCAdswHwYDVR0jBBgwFoAU kK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFMwxDzaFkpGoDWFGnpz+niNC udaSMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYI KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAEC ATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01P RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEF BQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NP TU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYB BQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAtBgNVHREEJjAkgg5hY3Mu cWFjYWZlLmNvbYISd3d3LmFjcy5xYWNhZmUuY29tMA0GCSqGSIb3DQEBCwUAA4IB AQBE/SmWs8rJthBedEAUaqDEQSFbFgviE+uKJRlfMHMPK55oe2c7cdujcpFS2wKM E7P9cS5KTNECbn4fDgrPuylxkUKK6GiPorTWUuT0k98TmKRY5nfkeIaurXO3bUMl 3R+SwDaXBCqHQIcWFsN5ExCiLqDLJw/uxloaW1Vbt50gEnyLDSAyPozBWlYxJw77 TNd6rcUiWK2Xx711FLvnWPXI9kn4Q2gTLtQ6ZwIT6DVQBd/ZMpDhxruwqlL7Tx+S 3dNVeihnkb7AXLd7dDcO2Gk29XS5o2F8KTE+i1Gi3/z03EiTRsmyNTBsSGYqbvVv F9crB7TEuWdlZxrYdoCP//3v -----END CERTIFICATE----- 

Likewise, you can display the contents of a DER formatted certificate using this command:

$ openssl x509 -in MYCERT.der -inform der -text 

Источник

Читайте также:  Astra linux разблокировка связки ключей

Useful openssl commands to view certificate content

We generate a private key with des3 encryption using following command which will prompt for passphrase:

~]# openssl genrsa -des3 -out ca.key 4096

To view the content of this private key we will use following syntax:

~]# openssl rsa -noout -text -in

So in our case the command would be:

~]# openssl rsa -noout -text -in ca.key

Sample output from my terminal (output is trimmed):

openssl view certificate

View the content of CSR (Certificate Signing Request)

We can use the following command to generate a CSR using the key we created in the previous example:

~]# openssl req -new -key ca.key -out client.csr

Syntax to view the content of this CSR:

~]# openssl req -noout -text -in

Sample output from my terminal:

openssl view certificate

View the content of CA certificate

We can use our existing key to generate CA certificate, here ca.cert.pem is the CA certificate file:

~]# openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem

To view the content of CA certificate we will use following syntax:

~]# openssl x509 -noout -text -in

Sample output from my terminal (output is trimmed):

openssl view certificate

View the content of signed Certificate

We can create a server or client certificate using following command using the key, CSR and CA certificate which we have created in this tutorial. Here server.crt is our final signed certificate

~]# openssl x509 -req -days 365 -in client.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out server.crt

To view the content of similar certificate we can use following syntax:

~]# openssl x509 -noout -text -in

Читайте также:  Linux анализатор занятого места

Sample output from my server (output is trimmed):

openssl view certificate

You can use the same command to view SAN (Subject Alternative Name) certificate as well.

Conclusion

In this tutorial we learned about openssl commands which can be used to view the content of different kinds of certificates. I have kept the tutorial short and crisp keeping to the point, you may check other articles on openssl in the left sidebar to understand how we can create different kinds of certificates using openssl.

Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Источник

How To Read The SSL Certificate Info From the CLI

This guide will show you how to read the SSL Certificate Information from a text-file on your server or from a remote server by connecting to it with the OpenSSL client.

Read the SSL Certificate information from a text-file at the CLI

If you have your certificate file available to you on the server, you can read the contents with the openssl client tools.

By default, your certificate will look like this.

$ cat certificate.crt -----BEGIN CERTIFICATE----- MIIEzTCCA7WgAwIBAgISESHAjlbjcoBHxBYXS12oY6VjMA0GCSqGSIb3DQEBCwUA . CzgXBhDR3themzPx4jwx2ckNFpNDK/6yQgrKaHTewAAj -----END CERTIFICATE-----

Which doesn’t really tell you much.

However, you can decrypt that certificate to a more readable form with the openssl tool.

$ openssl x509 -text -noout -in certificate.crt

It will display the SSL certificate output like expiration date, common name, issuer, …

Читайте также:  How to use pip in linux

Here’s what it looks like for my own certificate.

$ openssl x509 -text -noout -in certificate.crt Certificate: . Signature Algorithm: sha256WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 Validity Not Before: Dec 16 20:01:40 2014 GMT Not After : Dec 16 20:01:40 2017 GMT Subject: C=BE, OU=Domain Control Validated, CN=ma.ttias.be Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) .

The openssl tools are a must-have when working with certificates on your Linux server.

Read the SSL Certificate information from a remote server

You may want to monitor the validity of an SSL certificate from a remote server, without having the certificate.crt text file locally on your server? You can use the same openssl for that.

To connect to a remote host and retrieve the public key of the SSL certificate, use the following command.

$ openssl s_client -showcerts -connect ma.ttias.be:443

This will connect to the host ma.ttias.be on port 443 and show the certificate. It’s output looks like this.

$ openssl s_client -showcerts -connect ma.ttias.be:443 -----BEGIN CERTIFICATE----- MIIEzTCCA7WgAwIBAgISESHAjlbjcoBHxBYXS12oY6VjMA0GCSqGSIb3DQEBCwUA . CzgXBhDR3themzPx4jwx2ckNFpNDK/6yQgrKaHTewAAj -----END CERTIFICATE----- --- Server certificate subject=/C=BE/OU=Domain Control Validated/CN=ma.ttias.be issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 ---

There’s many more output, like the intermediate CA certificates, the raw certificates (encoded) and more information on the ciphers used to negotiate with the remote server.

You can use it to find the expiration date, to test for SSL connection errors, …

Источник

Оцените статью
Adblock
detector