How to display certificate information using OpenSSL

Certificates are prominent in today’s secure data communicate particularly in HTTPS protocol. Certificates are used to identify the authenticity of the public key shared by other party by digitally signing it by trusted certificate authority.

Certificate contains various components

  • Details of the source like Country, State, City and Common Name (domain name) include other optional details
  • Public Key
  • Digital Signature

Display Certificate Details of Website

Certificate of desired website can be retrieve and displayed in pretty human readable manner using openssl command s_client . Following command retrieves the certificate of website www.google.com and displays in pretty manner

Don’t provide protocol scheme or https . Which will throw an error. Provide only domain name and port to -connect option of s_client

$ openssl s_client -connect www.google.com:443

or feed /dev/null as input input prompt is not requried

$ openssl s_client -connect www.google.com:443 < /dev/null

To display all certificates in the chain

$ openssl s_client -showcerts -connect google.com:443 < /dev/null

Only display certificate by piping output to command sed

$ openssl s_client -connect google.com:443 2>&1 < /dev/null  | sed -n '/----BEGIN/,/-----END/P'

Display certificate information from file

Instead of retrieving the certificate from given server or website. If you have a file, certificate information can displayed using x509 command of openssl.

$ openssl x509 -in cert.pem  -text -noout

Above command display certificate information by reading the given certificate “cert.pem”
-text option tell to display certificate information in human readable text format
-noout option prevents the display of encoded version of certificate at the end

Display the signature given certificate file

$ openssl x509 -in cert.pem -text -noout  -certopt ca_default -certopt no_validity -certopt no_serial -certopt no_subject -certopt no_extensions -certopt no_signame

To filter and extra only certificate signature (hex string), pipe result to command “grep -v”. To remove spaces, it can further piped to command tr

$ openssl x509 -in cert.pem -text -noout -certopt ca_default -certopt no_validity -certopt no_serial -certopt no_subject -certopt no_extensions -certopt no_signame | grep -v "Signature Algorithm" | tr -d '[:space:]'

Display detailed certificate information of server

echo | openssl s_client -showcerts -servername www.google.com -connect www.google.com:443 2>/dev/null | openssl x509 -inform pem -noout -text

Extract the public key from certificate

Certificate contains public key which is signed by certificate authority. To extract public key from certificate file

$ openssl x509 -in cert.pem -pubkey -noout

Where,
-in cert.pem : cert.pem is the certificate to extract public key from
-pubkey : output the public key in base64 encoding
-noout : no certificate output at the end

Bonus

To learn more about certificate exchange and SSL protocol try the command

openssl s_client -msg -connect <domain>:<port>

$ openssl s_client -msg -connect getkt.com:443

Display Certificate of Website usign s_cleint

Command to display the certificate of the website using openssl s_client is as follows

echo -n | openssl s_client -connect <server or domain>:443 -servername <domainname> -showcerts | openssl x509 

For example to display the certificate of getkt, command would be

echo -n | openssl s_client -connect getkt.com:443 -servername getkt.com -showcerts | openssl x509 

Default image
neotam
Naveen T aka neotam. Programming language agnostic, Software architect, Python expert, Networking & DevOps engineer & consultant with 7+ years of experience in creating serious web applications, real time event-driven non blocking applications and database driven applications ranging from small scale to enterprise grade. website
Leave a Reply