Viewing X.509 PEM Certificate Details with OpenSSL

Let's say that we have a certificate in a file, such as cert.pem:

-----BEGIN CERTIFICATE-----
MIIF/jCCBOagAwIBAgISA91q/F6W4gFrTgddHVv8xbZiMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEwMTIwNTUxNTlaFw0x
OTAxMTAwNTUxNTlaMBUxEzARBgNVBAMTCnd3dy5qdnQubWUwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDx3hXCgWuyWUlnEfGw0FJPfWwJs1u/64kwEkiM
/mHLmMZPaP9lOauTylN6ZqEfVQ3IPy/Af+EYj8LagjTZD4fsWCWGbEE6HRy3kx2X
wVro+HrrtTC2v9FvQKSHzp6jRxpy/TXU7D58620sd/oUR0GiwjVNw2NvyclwYdp+
Uh+l34yNjfZHNR1ReBNAQx8G+Atbl44P0d2zor3w+21AsbSLXXsizWsYkAzqpnfO
TNTVrqAEDgjOx+WSylHkzq9zDiu1yhivqyf1N36KKGdTUy6R68k2Q2Jwx96bfpV/
8YtPUYEURGYSioTkbOVvOMp9YvgBXhrNpScjzGodzsWxpGyHAgMBAAGjggMRMIID
DTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKhHOyKYW1ardlfnHxV1XzcJkVVnMB8G
A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAu
BggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAv
BggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
FQYDVR0RBA4wDIIKd3d3Lmp2dC5tZTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB
5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu
Y3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5
IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5
IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5k
IGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMIIBAwYKKwYB
BAHWeQIEAgSB9ASB8QDvAHUA4mlLribo6UAJ6IYbtjuD1D7n/nSI+6SPKJMBnd3x
2/4AAAFmZwvSIwAABAMARjBEAiBAGw9Ahrp8h5osKrPSRuOZYvJmEdlOlgLceDVX
TRwMjgIgNGwUFd5iMGVh50TB6X8K1DuBimIy55oQamQ54m8QwkEAdgApPFGWVMg5
ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0eAAAAWZnC9IzAAAEAwBHMEUCIDiCU5XM
IID3gQ6cQBItYeL8Yi9e4Ze25gTg7X4umuiYAiEA7UM4B2y+ZUn70ZjW0reuLudz
R48ICPPMr5CxxgynqgQwDQYJKoZIhvcNAQELBQADggEBAArkPZNoSrF9GK4zj6xa
puu5bS8gcXK6RpbiXof2UWWOi2/Goo0VmOBLwauxu3rZBNnU1WCgYfWslfwQDHG0
IipgsNmzIB+EP1ZsPgMAPrQKH/el79SpxrwAsOWGEwkRgQ+Ss+yqOOZSg6ZLgsWJ
JiLdTBansINRuPt6SGV6stS90PMzHEdRv+bQfGNJU93fI1FwKicEOoDLJi2pnV14
NJxeSsXirbH+UW/mVWyDlYjkPirmlPPLHb1fUZ0KEKP1LiZ51CJBKW+w/qYj2ng4
49Dz6hSakAL6MARqWwp3aL/0vZcCi6EZ7QCG2iLoLMyS0n8wOkMCH0Omeo3Q/tHe
8YA=
-----END CERTIFICATE-----

We want to determine what the cert is for, but don't speak raw X.509, so we can use OpenSSL to help us here.

$ openssl x509 -in cert.cer -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:dd:6a:fc:5e:96:e2:01:6b:4e:07:5d:1d:5b:fc:c5:b6:62
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Oct 12 05:51:59 2018 GMT
            Not After : Jan 10 05:51:59 2019 GMT
        Subject: CN = www.jvt.me
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:f1:de:15:c2:81:6b:b2:59:49:67:11:f1:b0:d0:
                    52:4f:7d:6c:09:b3:5b:bf:eb:89:30:12:48:8c:fe:
                    61:cb:98:c6:4f:68:ff:65:39:ab:93:ca:53:7a:66:
                    a1:1f:55:0d:c8:3f:2f:c0:7f:e1:18:8f:c2:da:82:
                    34:d9:0f:87:ec:58:25:86:6c:41:3a:1d:1c:b7:93:
                    1d:97:c1:5a:e8:f8:7a:eb:b5:30:b6:bf:d1:6f:40:
                    a4:87:ce:9e:a3:47:1a:72:fd:35:d4:ec:3e:7c:eb:
                    6d:2c:77:fa:14:47:41:a2:c2:35:4d:c3:63:6f:c9:
                    c9:70:61:da:7e:52:1f:a5:df:8c:8d:8d:f6:47:35:
                    1d:51:78:13:40:43:1f:06:f8:0b:5b:97:8e:0f:d1:
                    dd:b3:a2:bd:f0:fb:6d:40:b1:b4:8b:5d:7b:22:cd:
                    6b:18:90:0c:ea:a6:77:ce:4c:d4:d5:ae:a0:04:0e:
                    08:ce:c7:e5:92:ca:51:e4:ce:af:73:0e:2b:b5:ca:
                    18:af:ab:27:f5:37:7e:8a:28:67:53:53:2e:91:eb:
                    c9:36:43:62:70:c7:de:9b:7e:95:7f:f1:8b:4f:51:
                    81:14:44:66:12:8a:84:e4:6c:e5:6f:38:ca:7d:62:
                    f8:01:5e:1a:cd:a5:27:23:cc:6a:1d:ce:c5:b1:a4:
                    6c:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                A8:47:3B:22:98:5B:56:AB:76:57:E7:1F:15:75:5F:37:09:91:55:67
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:www.jvt.me
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
                                3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
                    Timestamp : Oct 12 06:51:59.907 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:40:1B:0F:40:86:BA:7C:87:9A:2C:2A:B3:
                                D2:46:E3:99:62:F2:66:11:D9:4E:96:02:DC:78:35:57:
                                4D:1C:0C:8E:02:20:34:6C:14:15:DE:62:30:65:61:E7:
                                44:C1:E9:7F:0A:D4:3B:81:8A:62:32:E7:9A:10:6A:64:
                                39:E2:6F:10:C2:41
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                    Timestamp : Oct 12 06:51:59.923 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:38:82:53:95:CC:20:80:F7:81:0E:9C:40:
                                12:2D:61:E2:FC:62:2F:5E:E1:97:B6:E6:04:E0:ED:7E:
                                2E:9A:E8:98:02:21:00:ED:43:38:07:6C:BE:65:49:FB:
                                D1:98:D6:D2:B7:AE:2E:E7:73:47:8F:08:08:F3:CC:AF:
                                90:B1:C6:0C:A7:AA:04
    Signature Algorithm: sha256WithRSAEncryption
         0a:e4:3d:93:68:4a:b1:7d:18:ae:33:8f:ac:5a:a6:eb:b9:6d:
         2f:20:71:72:ba:46:96:e2:5e:87:f6:51:65:8e:8b:6f:c6:a2:
         8d:15:98:e0:4b:c1:ab:b1:bb:7a:d9:04:d9:d4:d5:60:a0:61:
         f5:ac:95:fc:10:0c:71:b4:22:2a:60:b0:d9:b3:20:1f:84:3f:
         56:6c:3e:03:00:3e:b4:0a:1f:f7:a5:ef:d4:a9:c6:bc:00:b0:
         e5:86:13:09:11:81:0f:92:b3:ec:aa:38:e6:52:83:a6:4b:82:
         c5:89:26:22:dd:4c:16:a7:b0:83:51:b8:fb:7a:48:65:7a:b2:
         d4:bd:d0:f3:33:1c:47:51:bf:e6:d0:7c:63:49:53:dd:df:23:
         51:70:2a:27:04:3a:80:cb:26:2d:a9:9d:5d:78:34:9c:5e:4a:
         c5:e2:ad:b1:fe:51:6f:e6:55:6c:83:95:88:e4:3e:2a:e6:94:
         f3:cb:1d:bd:5f:51:9d:0a:10:a3:f5:2e:26:79:d4:22:41:29:
         6f:b0:fe:a6:23:da:78:38:e3:d0:f3:ea:14:9a:90:02:fa:30:
         04:6a:5b:0a:77:68:bf:f4:bd:97:02:8b:a1:19:ed:00:86:da:
         22:e8:2c:cc:92:d2:7f:30:3a:43:02:1f:43:a6:7a:8d:d0:fe:
         d1:de:f1:80

We can see all sorts of interesting information, such as the Subject: CN = www.jvt.me, and that X509v3 Subject Alternative Name: DNS:www.jvt.me.

*****

Written by Jamie Tanna on 02 November 2018.

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under Apache License 2.0.

Tags

Categories