Viewing Certificates with OpenSSL: Step-by-Step Guide

Ever found yourself struggling to view SSL/TLS certificates using OpenSSL? You’re not alone. Many developers find it challenging to decipher the details of a certificate, but there’s a tool that can make this process straightforward.

Think of OpenSSL as a magnifying glass, allowing you to examine the intricate details of a certificate. It’s a powerful utility that can help you understand the ins and outs of SSL/TLS certificates.

This guide will walk you through the process of viewing certificates using OpenSSL, from basic usage to advanced techniques. We’ll cover everything from executing simple commands to viewing specific details of the certificate and even troubleshooting common issues.

So, let’s dive in and start mastering OpenSSL!

TL;DR: How Do I View a Certificate Using OpenSSL?

To view a certificate using OpenSSL, you use the openssl x509 -in [certificate.crt] -text -noout command. This command allows you to view the details of a certificate stored in a file named certificate.crt.

Here’s a simple example:

openssl x509 -in example.crt -text -noout

# Output:
# Certificate:
#     Data:
#         Version: 3 (0x2)
#         Serial Number:
#             11:21:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00
#         Signature Algorithm: sha256WithRSAEncryption
#         Issuer: C = US, ST = California, L = Mountain View, O = Google LLC, CN = Google Internet Authority G3
#         Validity
#             Not Before: Apr  2 09:33:27 2019 GMT
#             Not After : Jun 25 09:33:27 2019 GMT
#         Subject: C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
#         Subject Public Key Info:
#             Public Key Algorithm: id-ecPublicKey
#                 Public-Key: (256 bit)
#                 pub:
#                     04:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:
#                     10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f:
#                     20:21:22:23:24:25:26:27:28:29:2a:2b:2c:2d:2e:2f:
#                     30:31:32:33:34:35:36:37:38:39:3a:3b:3c:3d:3e:3f
#                 ASN1 OID: prime256v1
#                 NIST CURVE: P-256
#         X509v3 extensions:
#             X509v3 Key Usage: critical
#                 Digital Signature
#             X509v3 Extended Key Usage: 
#                 TLS Web Server Authentication
#             X509v3 Basic Constraints: critical
#                 CA:FALSE
#             X509v3 Subject Key Identifier: 
#                 BB:CE:F0:E2:36:3B:2A:02:00:88:1D:44:37:DC:76:FE
#             X509v3 Authority Key Identifier: 
#                 keyid:77:77:CE:03:4E:9B:26:67:29:4A:40:10:3A:1D:56:FA:25:9F:75:8C

#             Authority Information Access: 
#                 OCSP - URI:http://ocsp.pki.goog/gts1o1core
#                 CA Issuers - URI:http://pki.goog/gsr2/GTS1O1.crt

#             X509v3 Subject Alternative Name: 
#                 DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.g.co, DNS:*.gcp.gvt2.com, DNS:*.gcpcdn.gvt1.com, DNS:*.ggpht.cn, DNS:*.gkecnapps.cn, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecnapps.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gstaticcnapps.cn, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.youtubekids.com, DNS:*.yt.be, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:ggpht.cn, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecnapps.cn, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com, DNS:youtubekids.com, DNS:yt.be
#             X509v3 Certificate Policies: 
#                 Policy: 1 : 2.23.140.1.2.2
#                 Policy: 2.23.140.1.2.1
#                 User Notice:
#                   Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://pki.goog/repo/cps

#     Signature Algorithm: sha256WithRSAEncryption
#          11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:
#          55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88

In this example, we’ve used the openssl x509 -in example.crt -text -noout command to view the details of a certificate stored in a file named example.crt. The output provides a wealth of information about the certificate, including its version, serial number, signature algorithm, issuer, validity period, subject, subject public key info, and various X509v3 extensions.

This is just a basic way to view a certificate using OpenSSL. There’s much more to learn about OpenSSL’s capabilities, including advanced usage scenarios and troubleshooting techniques. Continue reading for more detailed information.

View a Certificate: Beginner’s Guide

Let’s start with the basics. To view a certificate using OpenSSL, you’ll need to use the openssl x509 -in [certificate.crt] -text -noout command. This command allows you to view the details of a certificate stored in a file named certificate.crt. Let’s break it down:

• openssl: This is the command line tool for OpenSSL, a robust, full-featured open-source toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

• x509: This flag tells OpenSSL to output the certificate in X.509 format, which is a widely used standard for defining digital certificates.

• -in [certificate.crt]: This option specifies the input filename to read a certificate from or standard input if this option is not specified. Replace [certificate.crt] with the path to your certificate file.

• -text: This option tells OpenSSL to print out the certificate in text form.

• -noout: This option prevents the encoded version of the certificate (i.e., the certificate itself) from being output.

Here’s a simple example:

openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -text -noout

# Output:
# Certificate:
#     Data:
#         Version: 1 (0x0)
#         Serial Number:
#             9e:b9:c0:c5:9c:08:38:cd:4a:4e:0c:56:58:76:10:90:1b:75:77:2f
#         Signature Algorithm: sha256WithRSAEncryption
#         Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
#         Validity
#             Not Before: Apr  8 14:02:16 2021 GMT
#             Not After : Apr  6 14:02:16 2031 GMT
#         Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
#         Subject Public Key Info:
#             Public Key Algorithm: rsaEncryption
#                 RSA Public-Key: (2048 bit)
#                 Modulus:
#                     00:c2:04:ec:...
#                 Exponent: 65537 (0x10001)
#     Signature Algorithm: sha256WithRSAEncryption
#          2f:7c:6a:13:...

In this example, we’re using the openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -text -noout command to view the details of a certificate stored in a file named ssl-cert-snakeoil.pem. The output provides a wealth of information about the certificate, including its version, serial number, signature algorithm, issuer, validity period, subject, and subject public key info.

As you can see, OpenSSL provides a wealth of information about a certificate with just a single command. Understanding this output is key to working effectively with SSL/TLS certificates.

Viewing Specific Certificate Details with OpenSSL

While the basic command gives you a comprehensive view of the certificate, OpenSSL also allows you to extract specific details from the certificate. This can be especially useful when you’re interested in a particular aspect of the certificate, such as its issuer or its subject.

To extract specific details from a certificate, you can use the -nameopt option followed by the specific detail you want to extract. For example, to extract the issuer of the certificate, you can use the following command:

openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -noout -issuer

# Output:
# issuer=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

In this example, the -issuer option is used to print the issuer of the certificate. The output shows the issuer of the certificate, which is ‘Internet Widgits Pty Ltd’.

Similarly, to extract the subject of the certificate, you can use the -subject option as follows:

openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -noout -subject

# Output:
# subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

In this example, the -subject option is used to print the subject of the certificate. The output shows the subject of the certificate, which is also ‘Internet Widgits Pty Ltd’.

As you can see, OpenSSL allows you to extract specific details from a certificate with ease. With a deeper understanding of these commands, you can quickly get the information you need without having to sift through the entire certificate.

Exploring Other Ways to View Certificates

While OpenSSL is a powerful tool for viewing certificates, it’s not the only one available. There are other commands and tools that can also be used to view certificates. Let’s explore some of these alternatives.

Using the openssl s_client Command

The openssl s_client command is a utility for testing SSL and TLS connections. It can also be used to view the certificate of a remote server. Here’s how you can use it:

echo | openssl s_client -servername hostname -connect host:port 2>/dev/null | openssl x509 -text

# Output:
# Certificate:
#     Data:
#         Version: 3 (0x2)
#         Serial Number:
#             04:e1:e7:a4:dc:5c:f2:0c:3b:0d:47:34:1a:56:5b:7a:1b:56:4d:68
#         Signature Algorithm: sha256WithRSAEncryption
#         Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
#         Validity
#             Not Before: Mar  1 00:00:00 2020 GMT
#             Not After : Apr  1 12:00:00 2022 GMT
#         Subject: CN = *.example.com
#         Subject Public Key Info:
#             Public Key Algorithm: rsaEncryption
#                 RSA Public-Key: (2048 bit)
#                 Modulus:
#                     00:c4:5a:...
#                 Exponent: 65537 (0x10001)
#     Signature Algorithm: sha256WithRSAEncryption
#          4c:7e:7c:...

In this example, we’re using the openssl s_client command to connect to a remote server and retrieve its certificate. The -connect host:port option specifies the host and port to connect to, while the -servername hostname option sets the TLS SNI (Server Name Indication) extension to the specified hostname. The output of this command is then piped to openssl x509 -text to view the certificate details.

Using the keytool Command

If you’re working with Java applications, you might find the keytool command more convenient. keytool is a key and certificate management utility that allows users to administer their own public/private key pairs and associated certificates for use in self-authentication. Here’s how you can use it to view a certificate:

keytool -printcert -file mydomain.crt

# Output:
# Owner: CN=www.example.com, OU=IT, O=Example, L=San Francisco, ST=California, C=US
# Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
# Serial number: 3e2097f4b8d5aef4a05f5f8e36c0b9d5d3e
# Valid from: Wed Sep 30 14:35:39 UTC 2020 until: Tue Dec 29 14:35:39 UTC 2020
# Certificate fingerprints:
#  SHA1: D2:CA:1F:8B:8E:ED:77:2F:9D:15:50:58:BC:2F:32:26:75:6C:40:7A
#  SHA256: 69:5D:56:2B:7F:5D:39:B0:82:91:1C:F9:C5:6A:DB:6D:2F:E6:2D:91:36:7A:6F:28:11:30:BB:B3:73:FA:FA:5D
# Signature algorithm name: SHA256withRSA
# Subject Public Key Algorithm: 2048-bit RSA key
# Version: 3

In this example, we’re using the keytool -printcert -file mydomain.crt command to view the details of a certificate stored in a file named mydomain.crt. The output provides a wealth of information about the certificate, including its owner, issuer, serial number, validity period, certificate fingerprints, signature algorithm name, subject public key algorithm, and version.

As you can see, there are several ways to view certificates. Depending on your specific needs and the tools you’re comfortable with, you might find one method more convenient than the others.

Navigating Common OpenSSL Pitfalls

While OpenSSL is a powerful tool, it’s not without its quirks. Here are some common errors you may encounter when using OpenSSL to view certificates, along with their solutions and some tips for best practices and optimization.

Unable to Load Certificate

One of the most common errors you may encounter is the ‘unable to load certificate’ error. This usually happens when the certificate file you’re trying to view doesn’t exist or can’t be accessed.

openssl x509 -in non_existent_file.crt -text -noout

# Output:
# unable to load certificate
# 140735207381464:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('non_existent_file.crt','r')
# 140735207381464:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

In this example, we’re trying to view a certificate stored in a file named non_existent_file.crt, which doesn’t exist. As a result, OpenSSL throws an ‘unable to load certificate’ error.

To resolve this issue, make sure the certificate file you’re trying to view exists and can be accessed. Check the file path and permissions.

Invalid Certificate Format

Another common error is the ‘invalid certificate format’ error. This usually happens when the certificate file you’re trying to view isn’t in the expected PEM format.

openssl x509 -in invalid_format.crt -text -noout

# Output:
# unable to load certificate
# 140735207381464:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

In this example, we’re trying to view a certificate stored in a file named invalid_format.crt, which isn’t in the expected PEM format. As a result, OpenSSL throws an ‘invalid certificate format’ error.

To resolve this issue, make sure the certificate file you’re trying to view is in the expected PEM format. If it’s in a different format, you may need to convert it to PEM format first.

Best Practices and Optimization

When using OpenSSL to view certificates, here are some tips for best practices and optimization:

• Always specify the full path to the certificate file to avoid ‘unable to load certificate’ errors.

• Make sure the certificate file is in the expected PEM format to avoid ‘invalid certificate format’ errors. If it’s in a different format, convert it to PEM format first.

• Use the -nameopt option to customize the output when viewing specific details of a certificate. For example, you can use -nameopt RFC2253 to output the names in RFC 2253 format, or -nameopt oneline to output the names in a single line.

• Use the -dates option to output the notBefore and notAfter dates of the certificate. This can be useful for quickly checking the validity period of a certificate.

openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -noout -dates

# Output:
# notBefore=Apr  8 14:02:16 2021 GMT
# notAfter=Apr  6 14:02:16 2031 GMT

In this example, we’re using the openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -noout -dates command to output the notBefore and notAfter dates of a certificate stored in a file named ssl-cert-snakeoil.pem. The output shows the validity period of the certificate, which is from ‘Apr 8 14:02:16 2021 GMT’ to ‘Apr 6 14:02:16 2031 GMT’.

Understanding SSL/TLS, Certificates, and OpenSSL

To truly appreciate the power of OpenSSL and the importance of viewing certificates, it’s crucial to understand the basics of SSL/TLS, certificates, and OpenSSL itself.

SSL/TLS: The Foundation of Secure Communications

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols designed to provide secure communication over a computer network. They use encryption to ensure that data transmitted between two parties remains private and integral.

openssl s_client -connect www.google.com:443

# Output (abbreviated):
# CONNECTED(00000003)
# depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
# verify return:1
# depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
# verify return:1
# depth=0 CN = www.google.com
# verify return:1
# ---
# Certificate chain
#  0 s:/CN=www.google.com
#    i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
#  1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
#    i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
# ---
# Server certificate
# -----BEGIN CERTIFICATE-----
# MIIEgDCCA2igAwIBAgINAeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBhMQsw
# ...
# -----END CERTIFICATE-----
# subject=/CN=www.google.com
# issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1
# ---
# No client certificate CA names sent
# Peer signing digest: SHA256
# Server Temp Key: ECDH, P-256, 256 bits
# ---
# SSL handshake has read 2499 bytes and written 415 bytes
# ---
# New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
# Server public key is 2048 bit
# Secure Renegotiation IS supported
# Compression: NONE
# Expansion: NONE
# No ALPN negotiated
# SSL-Session:
#     Protocol  : TLSv1.2
#     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
#     ...
# ---
# DONE

In this example, we’re using the openssl s_client -connect www.google.com:443 command to establish a TLS connection to www.google.com on port 443. The output shows the SSL/TLS handshake process, the server’s certificate, and the established SSL session’s details.

Certificates: The Identity Cards of the Internet

In the context of SSL/TLS, a certificate (also known as an SSL certificate or a TLS certificate) is a digital document that binds a cryptographic key to an organization’s details. It’s like an identity card for a website or a server.

Certificates are issued by trusted entities known as Certificate Authorities (CAs). They contain information like the certificate holder’s name, the certificate’s serial number and expiration date, a copy of the certificate holder’s public key, and the digital signature of the certificate-issuing authority.

OpenSSL: A Swiss Army Knife for SSL/TLS

OpenSSL is a robust, full-featured open-source toolkit that implements the SSL and TLS protocols. It provides a rich set of features for creating and managing certificates, generating and managing private keys, establishing and securing SSL/TLS connections, and much more.

One of the most common uses of OpenSSL is to view the details of a certificate. As we’ve seen earlier, you can use the openssl x509 -in [certificate.crt] -text -noout command to view the details of a certificate stored in a file named certificate.crt.

Understanding these fundamentals can help you make the most of OpenSSL and appreciate the importance of viewing and understanding certificates in the context of secure communications.

OpenSSL in Larger Projects and Real-World Scenarios

OpenSSL is not only a tool for viewing certificates; it’s a comprehensive toolkit for managing SSL/TLS in larger projects and real-world scenarios. It can be used for generating and managing private keys, creating and signing certificates, establishing and securing SSL/TLS connections, and much more. Here are some examples of how OpenSSL can be applied in larger contexts:

Securing a Web Server with SSL/TLS

One of the most common uses of OpenSSL is to secure a web server with SSL/TLS. This involves generating a private key and a certificate signing request (CSR), signing the CSR with a Certificate Authority (CA), and configuring the web server to use the resulting certificate and private key.

# Generate a private key
openssl genpkey -algorithm RSA -out private.key

# Generate a CSR
openssl req -new -key private.key -out request.csr

# Sign the CSR with a CA
openssl x509 -req -in request.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out certificate.crt

# Output:
# Signature ok
# subject=/C=US/ST=California/L=San Francisco/O=Example/CN=www.example.com
# Getting CA Private Key

In this example, we’re using OpenSSL to generate a private key, create a CSR, and sign the CSR with a CA. The resulting certificate can then be used to secure a web server with SSL/TLS.

Creating a Self-Signed Certificate

OpenSSL can also be used to create a self-signed certificate. This can be useful for testing purposes or for setting up a secure connection in a private network.

# Generate a self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

# Output:
# Generating a RSA private key
# ..................................................................................................++++
# ........................................................................................................++++
# writing new private key to 'key.pem'
# Enter PEM pass phrase:
# Verifying - Enter PEM pass phrase:
# -----
# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# ...

In this example, we’re using OpenSSL to generate a self-signed certificate. The -x509 option tells OpenSSL to create a self-signed certificate instead of a CSR, and the -days 365 option specifies that the certificate should be valid for 365 days.

Further Resources for OpenSSL

OpenSSL is a vast subject with many advanced features. If you’re interested in learning more about OpenSSL and how it can be used to manage SSL/TLS in larger projects and real-world scenarios, here are some resources that you might find helpful:

• OpenSSL’s Official Documentation: This is the official documentation for OpenSSL. It provides a comprehensive overview of OpenSSL’s features and how to use them.

• Mozilla’s Server Side TLS Guidelines: This guide from Mozilla provides best practices for using TLS in server software.

• Let’s Encrypt: Let’s Encrypt is a free, automated, and open Certificate Authority. They provide guides on how to secure your website with TLS certificates.

Wrapping Up: Viewing Certificates with OpenSSL

In this comprehensive guide, we’ve delved into the process of viewing SSL/TLS certificates using OpenSSL, a vital tool in the world of secure communications.

We started with the basics, learning how to view a certificate using OpenSSL with a simple command. We then explored more advanced techniques, such as extracting specific details from a certificate and using alternative commands to view certificates. We also tackled common issues you might encounter when using OpenSSL to view certificates, offering solutions to help you navigate these challenges.

Along the way, we took a detour into the fundamentals of SSL/TLS, certificates, and OpenSSL itself, providing you with a deeper understanding of the context in which OpenSSL operates. We also glimpsed at how OpenSSL can be applied in larger projects and real-world scenarios, beyond just viewing certificates.

Here’s a quick comparison of the methods we’ve discussed:

Whether you’re just starting out with OpenSSL or you’re looking to deepen your understanding, we hope this guide has served as a valuable resource. The ability to view and understand SSL/TLS certificates is a crucial skill in the world of secure communications, and now you’re well equipped to do just that. Happy exploring!