Viewing X.509 DER Certificate Details with OpenSSL

Let's say that we have a certificate in a file, such as cert.crt:

$ file cert.crt
cert.crt: data

We want to determine what the cert is for, but don't speak raw DER X.509, so we can use OpenSSL to help us here.

$ openssl x509 -in cert.cer -inform DER -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:dd:6a:fc:5e:96:e2:01:6b:4e:07:5d:1d:5b:fc:c5:b6:62
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Oct 12 05:51:59 2018 GMT
            Not After : Jan 10 05:51:59 2019 GMT
        Subject: CN = www.jvt.me
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:f1:de:15:c2:81:6b:b2:59:49:67:11:f1:b0:d0:
                    52:4f:7d:6c:09:b3:5b:bf:eb:89:30:12:48:8c:fe:
                    61:cb:98:c6:4f:68:ff:65:39:ab:93:ca:53:7a:66:
                    a1:1f:55:0d:c8:3f:2f:c0:7f:e1:18:8f:c2:da:82:
                    34:d9:0f:87:ec:58:25:86:6c:41:3a:1d:1c:b7:93:
                    1d:97:c1:5a:e8:f8:7a:eb:b5:30:b6:bf:d1:6f:40:
                    a4:87:ce:9e:a3:47:1a:72:fd:35:d4:ec:3e:7c:eb:
                    6d:2c:77:fa:14:47:41:a2:c2:35:4d:c3:63:6f:c9:
                    c9:70:61:da:7e:52:1f:a5:df:8c:8d:8d:f6:47:35:
                    1d:51:78:13:40:43:1f:06:f8:0b:5b:97:8e:0f:d1:
                    dd:b3:a2:bd:f0:fb:6d:40:b1:b4:8b:5d:7b:22:cd:
                    6b:18:90:0c:ea:a6:77:ce:4c:d4:d5:ae:a0:04:0e:
                    08:ce:c7:e5:92:ca:51:e4:ce:af:73:0e:2b:b5:ca:
                    18:af:ab:27:f5:37:7e:8a:28:67:53:53:2e:91:eb:
                    c9:36:43:62:70:c7:de:9b:7e:95:7f:f1:8b:4f:51:
                    81:14:44:66:12:8a:84:e4:6c:e5:6f:38:ca:7d:62:
                    f8:01:5e:1a:cd:a5:27:23:cc:6a:1d:ce:c5:b1:a4:
                    6c:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                A8:47:3B:22:98:5B:56:AB:76:57:E7:1F:15:75:5F:37:09:91:55:67
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:www.jvt.me
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
                                3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
                    Timestamp : Oct 12 06:51:59.907 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:40:1B:0F:40:86:BA:7C:87:9A:2C:2A:B3:
                                D2:46:E3:99:62:F2:66:11:D9:4E:96:02:DC:78:35:57:
                                4D:1C:0C:8E:02:20:34:6C:14:15:DE:62:30:65:61:E7:
                                44:C1:E9:7F:0A:D4:3B:81:8A:62:32:E7:9A:10:6A:64:
                                39:E2:6F:10:C2:41
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                    Timestamp : Oct 12 06:51:59.923 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:38:82:53:95:CC:20:80:F7:81:0E:9C:40:
                                12:2D:61:E2:FC:62:2F:5E:E1:97:B6:E6:04:E0:ED:7E:
                                2E:9A:E8:98:02:21:00:ED:43:38:07:6C:BE:65:49:FB:
                                D1:98:D6:D2:B7:AE:2E:E7:73:47:8F:08:08:F3:CC:AF:
                                90:B1:C6:0C:A7:AA:04
    Signature Algorithm: sha256WithRSAEncryption
         0a:e4:3d:93:68:4a:b1:7d:18:ae:33:8f:ac:5a:a6:eb:b9:6d:
         2f:20:71:72:ba:46:96:e2:5e:87:f6:51:65:8e:8b:6f:c6:a2:
         8d:15:98:e0:4b:c1:ab:b1:bb:7a:d9:04:d9:d4:d5:60:a0:61:
         f5:ac:95:fc:10:0c:71:b4:22:2a:60:b0:d9:b3:20:1f:84:3f:
         56:6c:3e:03:00:3e:b4:0a:1f:f7:a5:ef:d4:a9:c6:bc:00:b0:
         e5:86:13:09:11:81:0f:92:b3:ec:aa:38:e6:52:83:a6:4b:82:
         c5:89:26:22:dd:4c:16:a7:b0:83:51:b8:fb:7a:48:65:7a:b2:
         d4:bd:d0:f3:33:1c:47:51:bf:e6:d0:7c:63:49:53:dd:df:23:
         51:70:2a:27:04:3a:80:cb:26:2d:a9:9d:5d:78:34:9c:5e:4a:
         c5:e2:ad:b1:fe:51:6f:e6:55:6c:83:95:88:e4:3e:2a:e6:94:
         f3:cb:1d:bd:5f:51:9d:0a:10:a3:f5:2e:26:79:d4:22:41:29:
         6f:b0:fe:a6:23:da:78:38:e3:d0:f3:ea:14:9a:90:02:fa:30:
         04:6a:5b:0a:77:68:bf:f4:bd:97:02:8b:a1:19:ed:00:86:da:
         22:e8:2c:cc:92:d2:7f:30:3a:43:02:1f:43:a6:7a:8d:d0:fe:
         d1:de:f1:80

Note that because OpenSSL by default works with PEM files, we need to explicitly set the -inform DER flag.

We can see all sorts of interesting information, such as the Subject: CN = www.jvt.me, and that X509v3 Subject Alternative Name: DNS:www.jvt.me.

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#blogumentation #certificates #command-line #der #openssl.

This post was filed under articles.

Has this content helped you? Please consider supporting me so I can continue to create content like this!

Related Posts

Other posts you may be interested in:

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.