Home / Articles

Certificate inspection

2019-01-01T10:25:37Z.

Common commands for inspecting certificates.

Inspect certificate signing request (CSR)

Run:


openssl req -text -in server.csr

Sample output:


Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=HK, ST=Hong Kong, L=Hong Kong, O=Example Company, CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:7f:e3:13:2f:37:c2:8e:92:0d:03:60:6c:f8:08:
                    6b:fc:48:78:0f:79:31:cf:bb:e3:db:74:49:a4:6e:
                    32:4c:a8:7a:16:33:2b:d7:4a:2f:aa:93:93:f3:02:
                    94:a9:88:e8:5b:8b:18:58:ba:1f:79:99:0f:3a:2d:
                    41:9d:0b:1c:8c:2a:3d:51:3a:75:e6:6d:81:f1:a9:
                    87:2c:da:14:04:af:64:92:ca:3b:1c:2e:ac:72:e3:
                    66:d6:fc:99:a6:f3:4d
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:65:02:30:35:6b:9e:ff:8c:a1:b6:c6:29:4a:0b:fc:e5:d8:
         e6:ac:b1:0a:3a:87:86:70:b1:ad:1e:04:84:fc:97:71:bb:ce:
         58:bd:bc:a3:88:1a:ae:21:af:6b:68:da:f2:90:7c:35:02:31:
         00:f9:e0:ec:f0:50:68:52:77:5a:42:7c:ec:34:d1:cf:57:b2:
         5f:ef:71:ce:b7:e7:58:d9:9d:2d:21:ca:59:78:ca:90:90:a5:
         39:c7:1a:01:a8:46:67:7f:b1:4d:12:40:37
-----BEGIN CERTIFICATE REQUEST-----
MIIBXTCB5AIBADBlMQswCQYDVQQGEwJISzESMBAGA1UECAwJSG9uZyBLb25nMRIw
EAYDVQQHDAlIb25nIEtvbmcxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEUMBIG
A1UEAwwLZXhhbXBsZS5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAR/4xMvN8KO
kg0DYGz4CGv8SHgPeTHPu+PbdEmkbjJMqHoWMyvXSi+qk5PzApSpiOhbixhYuh95
mQ86LUGdCxyMKj1ROnXmbYHxqYcs2hQEr2SSyjscLqxy42bW/Jmm802gADAKBggq
hkjOPQQDAgNoADBlAjA1a57/jKG2xilKC/zl2OassQo6h4Zwsa0eBIT8l3G7zli9
vKOIGq4hr2to2vKQfDUCMQD54OzwUGhSd1pCfOw00c9Xsl/vcc6351jZnS0hyll4
ypCQpTnHGgGoRmd/sU0SQDc=
-----END CERTIFICATE REQUEST-----

Inspect private key

Run:


openssl ec -in server.key -noout -text

Sample output:


read EC key
Private-Key: (384 bit)
priv:
    00:88:a8:80:15:f8:ec:22:33:c4:fb:cd:f3:43:31:
    87:b4:80:b0:13:4b:02:44:3b:6b:ca:9b:9c:c7:fa:
    fe:8e:8c:ae:f8:ed:8b:f1:a2:52:7c:f3:8e:10:73:
    5b:e8:7e:74
pub:
    04:26:55:3c:9a:f6:1d:47:62:07:cf:c5:8e:44:68:
    e4:00:8f:de:ce:ed:bc:33:e0:fc:1e:5f:4d:89:5c:
    bf:91:10:76:2f:49:de:66:57:5a:ca:c3:91:8d:ad:
    8b:75:95:7e:cb:c2:7b:a2:c2:1d:5f:2c:a9:39:64:
    61:c1:f5:72:2f:67:50:b0:18:e3:da:10:1f:8f:67:
    2d:20:e5:81:ab:2d:29:08:fc:78:17:6b:ba:c5:32:
    d0:f1:07:bf:50:01:ce
ASN1 OID: secp384r1
NIST CURVE: P-384

Inspect public key

Run:


openssl x509 -text -noout -in server.crt

Sample output:


Certificate:
Data:
    Version: 3 (0x2)
    Serial Number: 14711250566205686010 (0xcc28dc72487440fa)
Signature Algorithm: ecdsa-with-SHA256
    Issuer: C=HK, ST=Hong Kong, L=Hong Kong, O=Example Company, CN=example.com
    Validity
        Not Before: Dec 14 07:40:03 2018 GMT
        Not After : Dec 14 07:40:03 2019 GMT
    Subject: C=HK, ST=Hong Kong, L=Hong Kong, O=Example Company, CN=example.com
    Subject Public Key Info:
        Public Key Algorithm: id-ecPublicKey
            Public-Key: (384 bit)
            pub:
                04:7f:e3:13:2f:37:c2:8e:92:0d:03:60:6c:f8:08:
                6b:fc:48:78:0f:79:31:cf:bb:e3:db:74:49:a4:6e:
                32:4c:a8:7a:16:33:2b:d7:4a:2f:aa:93:93:f3:02:
                94:a9:88:e8:5b:8b:18:58:ba:1f:79:99:0f:3a:2d:
                41:9d:0b:1c:8c:2a:3d:51:3a:75:e6:6d:81:f1:a9:
                87:2c:da:14:04:af:64:92:ca:3b:1c:2e:ac:72:e3:
                66:d6:fc:99:a6:f3:4d
            ASN1 OID: secp384r1
            NIST CURVE: P-384
    X509v3 extensions:
        X509v3 Subject Key Identifier:
            4E:52:8B:1A:2C:59:AE:20:93:A3:D2:A2:4D:FB:2D:9D:1C:A9:F4:54
        X509v3 Authority Key Identifier:
            keyid:4E:52:8B:1A:2C:59:AE:20:93:A3:D2:A2:4D:FB:2D:9D:1C:A9:F4:54

        X509v3 Basic Constraints:
            CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
        30:65:02:31:00:d6:3d:e4:86:99:22:d3:b0:40:e5:3c:09:37:
        b9:6b:16:33:d6:14:7c:c8:34:c0:9b:04:48:38:84:0e:86:b3:
        5d:a7:d0:4b:c5:f4:ad:a7:7d:bd:7b:70:d2:e2:b9:fc:f4:02:
        30:18:3c:a0:18:71:f7:12:ae:5e:52:c3:34:dc:ee:2e:a5:d2:
        65:3a:85:68:8e:77:6a:77:ae:52:b6:c3:69:31:50:c3:83:9d:
        4f:b7:47:ee:35:bf:3f:98:75:17:6f:8b:be

Inspect certificate on remote server

Run:


openssl s_client -connect example.com:443

Sample output (partial):


CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
verify return:1
---
Certificate chain
    0 s:/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org
    i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
    1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHQDCCBiigAwIBAgIQD9B43Ujxor1NDyupa2A4/jANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgxMTI4MDAwMDAwWhcN
MjAxMjAyMTIwMDAwWjCBpTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExFDASBgNVBAcTC0xvcyBBbmdlbGVzMTwwOgYDVQQKEzNJbnRlcm5ldCBDb3Jw
b3JhdGlvbiBmb3IgQXNzaWduZWQgTmFtZXMgYW5kIE51bWJlcnMxEzARBgNVBAsT
ClRlY2hub2xvZ3kxGDAWBgNVBAMTD3d3dy5leGFtcGxlLm9yZzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANDwEnSgliByCGUZElpdStA6jGaPoCkrp9vV
rAzPpXGSFUIVsAeSdjF11yeOTVBqddF7U14nqu3rpGA68o5FGGtFM1yFEaogEv5g
rJ1MRY/d0w4+dw8JwoVlNMci+3QTuUKf9yH28JxEdG3J37Mfj2C3cREGkGNBnY80
eyRJRqzy8I0LSPTTkhr3okXuzOXXg38ugr1x3SgZWDNuEaE6oGpyYJIBWZ9jF3pJ
QnucP9vTBejMh374qvyd0QVQq3WxHrogy4nUbWw3gihMxT98wRD1oKVma1NTydvt
hcNtBfhkp8kO64/hxLHrLWgOFT/l4tz8IWQt7mkrBHjbd2XLVPkCAwEAAaOCA8Ew
ggO9MB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBRm
mGIC4AmRp9njNvt2xrC/oW2nvjCBgQYDVR0RBHoweIIPd3d3LmV4YW1wbGUub3Jn
ggtleGFtcGxlLmNvbYILZXhhbXBsZS5lZHWCC2V4YW1wbGUubmV0ggtleGFtcGxl
Lm9yZ4IPd3d3LmV4YW1wbGUuY29tgg93d3cuZXhhbXBsZS5lZHWCD3d3dy5leGFt
cGxlLm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNv
bS9zc2NhLXNoYTItZzYuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5j
b20vc3NjYS1zaGEyLWc2LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgG
CCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAEC
AjB8BggrBgEFBQcBAQRwMG4wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2lj
ZXJ0LmNvbTBGBggrBgEFBQcwAoY6aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0U0hBMlNlY3VyZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMIIB
fwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb
37jjd80OyA3cEAAAAWdcMZVGAAAEAwBIMEYCIQCEZIG3IR36Gkj1dq5L6EaGVycX
sHvpO7dKV0JsooTEbAIhALuTtf4wxGTkFkx8blhTV+7sf6pFT78ORo7+cP39jkJC
AHYAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFnXDGWFQAABAMA
RzBFAiBvqnfSHKeUwGMtLrOG3UGLQIoaL3+uZsGTX3MfSJNQEQIhANL5nUiGBR6g
l0QlCzzqzvorGXyB/yd7nttYttzo8EpOAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkC
wQApBo2yCJo32RMAAAFnXDGWnAAABAMARzBFAiEA5Hn7Q4SOyqHkT+kDsHq7ku7z
RDuM7P4UDX2ft2Mpny0CIE13WtxJAUr0aASFYZ/XjSAMMfrB0/RxClvWVss9LHKM
MA0GCSqGSIb3DQEBCwUAA4IBAQBzcIXvQEGnakPVeJx7VUjmvGuZhrr7DQOLeP4R
8CmgDM1pFAvGBHiyzvCH1QGdxFl6cf7wbp7BoLCRLR/qPVXFMwUMzcE1GLBqaGZM
v1Yh2lvZSLmMNSGRXdx113pGLCInpm/TOhfrvr0TxRImc8BdozWJavsn1N2qdHQu
N+UBO6bQMLCD0KHEdSGFsuX6ZwAworxTg02/1qiDu7zW7RyzHvFYA4IAjpzvkPIa
X6KjBtpdvp/aXabmL95YgBjT8WJ7pqOfrqhpcmOBZa6Cg6O1l4qbIFH/Gj9hQB5I
0Gs4+eH6F9h3SojmPTYkT+8KuZ9w84Mn+M8qBXUQoYoKgIjN
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4643 bytes and written 431 bytes

References