Viewing X.509 DER Certificate Details with OpenSSL
This post's featured URL for sharing metadata is https://www.jvt.me/img/profile.jpg.
Let's say that we have a certificate in a file, such as cert.crt
:
$ file cert.crt
cert.crt: data
We want to determine what the cert is for, but don't speak raw DER X.509, so we can use OpenSSL to help us here.
$ openssl x509 -in cert.cer -inform DER -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:dd:6a:fc:5e:96:e2:01:6b:4e:07:5d:1d:5b:fc:c5:b6:62
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Oct 12 05:51:59 2018 GMT
Not After : Jan 10 05:51:59 2019 GMT
Subject: CN = www.jvt.me
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:f1:de:15:c2:81:6b:b2:59:49:67:11:f1:b0:d0:
52:4f:7d:6c:09:b3:5b:bf:eb:89:30:12:48:8c:fe:
61:cb:98:c6:4f:68:ff:65:39:ab:93:ca:53:7a:66:
a1:1f:55:0d:c8:3f:2f:c0:7f:e1:18:8f:c2:da:82:
34:d9:0f:87:ec:58:25:86:6c:41:3a:1d:1c:b7:93:
1d:97:c1:5a:e8:f8:7a:eb:b5:30:b6:bf:d1:6f:40:
a4:87:ce:9e:a3:47:1a:72:fd:35:d4:ec:3e:7c:eb:
6d:2c:77:fa:14:47:41:a2:c2:35:4d:c3:63:6f:c9:
c9:70:61:da:7e:52:1f:a5:df:8c:8d:8d:f6:47:35:
1d:51:78:13:40:43:1f:06:f8:0b:5b:97:8e:0f:d1:
dd:b3:a2:bd:f0:fb:6d:40:b1:b4:8b:5d:7b:22:cd:
6b:18:90:0c:ea:a6:77:ce:4c:d4:d5:ae:a0:04:0e:
08:ce:c7:e5:92:ca:51:e4:ce:af:73:0e:2b:b5:ca:
18:af:ab:27:f5:37:7e:8a:28:67:53:53:2e:91:eb:
c9:36:43:62:70:c7:de:9b:7e:95:7f:f1:8b:4f:51:
81:14:44:66:12:8a:84:e4:6c:e5:6f:38:ca:7d:62:
f8:01:5e:1a:cd:a5:27:23:cc:6a:1d:ce:c5:b1:a4:
6c:87
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
A8:47:3B:22:98:5B:56:AB:76:57:E7:1F:15:75:5F:37:09:91:55:67
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:www.jvt.me
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
Timestamp : Oct 12 06:51:59.907 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:40:1B:0F:40:86:BA:7C:87:9A:2C:2A:B3:
D2:46:E3:99:62:F2:66:11:D9:4E:96:02:DC:78:35:57:
4D:1C:0C:8E:02:20:34:6C:14:15:DE:62:30:65:61:E7:
44:C1:E9:7F:0A:D4:3B:81:8A:62:32:E7:9A:10:6A:64:
39:E2:6F:10:C2:41
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
Timestamp : Oct 12 06:51:59.923 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:38:82:53:95:CC:20:80:F7:81:0E:9C:40:
12:2D:61:E2:FC:62:2F:5E:E1:97:B6:E6:04:E0:ED:7E:
2E:9A:E8:98:02:21:00:ED:43:38:07:6C:BE:65:49:FB:
D1:98:D6:D2:B7:AE:2E:E7:73:47:8F:08:08:F3:CC:AF:
90:B1:C6:0C:A7:AA:04
Signature Algorithm: sha256WithRSAEncryption
0a:e4:3d:93:68:4a:b1:7d:18:ae:33:8f:ac:5a:a6:eb:b9:6d:
2f:20:71:72:ba:46:96:e2:5e:87:f6:51:65:8e:8b:6f:c6:a2:
8d:15:98:e0:4b:c1:ab:b1:bb:7a:d9:04:d9:d4:d5:60:a0:61:
f5:ac:95:fc:10:0c:71:b4:22:2a:60:b0:d9:b3:20:1f:84:3f:
56:6c:3e:03:00:3e:b4:0a:1f:f7:a5:ef:d4:a9:c6:bc:00:b0:
e5:86:13:09:11:81:0f:92:b3:ec:aa:38:e6:52:83:a6:4b:82:
c5:89:26:22:dd:4c:16:a7:b0:83:51:b8:fb:7a:48:65:7a:b2:
d4:bd:d0:f3:33:1c:47:51:bf:e6:d0:7c:63:49:53:dd:df:23:
51:70:2a:27:04:3a:80:cb:26:2d:a9:9d:5d:78:34:9c:5e:4a:
c5:e2:ad:b1:fe:51:6f:e6:55:6c:83:95:88:e4:3e:2a:e6:94:
f3:cb:1d:bd:5f:51:9d:0a:10:a3:f5:2e:26:79:d4:22:41:29:
6f:b0:fe:a6:23:da:78:38:e3:d0:f3:ea:14:9a:90:02:fa:30:
04:6a:5b:0a:77:68:bf:f4:bd:97:02:8b:a1:19:ed:00:86:da:
22:e8:2c:cc:92:d2:7f:30:3a:43:02:1f:43:a6:7a:8d:d0:fe:
d1:de:f1:80
Note that because OpenSSL by default works with PEM files, we need to explicitly set the -inform DER
flag.
We can see all sorts of interesting information, such as the Subject: CN = www.jvt.me
, and that X509v3 Subject Alternative Name: DNS:www.jvt.me
.