Skip to content

X.509 certificate inspection with OpenSSL

X.509 certificate inspection with OpenSSL involves using command-line tools to read and parse the data contained within X.509 digital certificates. This process is essential for verifying details such as the issuer, validity period, and public key information without opening the file in a graphical interface^[600-developer__tools__security__CA.md]。

Reading Certificate Data

To inspect the contents of a certificate file, the openssl x509 command with the -noout flag is used. This prints the certificate details to standard output in a human-readable text format^[600-developer__tools__security__CA.md]。

The basic syntax to read a certificate is:

openssl x509 -in <filename> -text -noout

For example, to read a file named ca.crt: bash openssl x509 -in ca.crt -text -noout^[600-developer__tools__security__CA.md]

Output Information

When the command is executed, OpenSSL outputs a detailed structure that includes the following key components^[600-developer__tools__security__CA.md]:

  • Version: The X.509 version number (e.g., Version 3).
  • Serial Number: The unique serial number assigned to the certificate.
  • Signature Algorithm: The algorithm used by the CA to sign the certificate (e.g., sha256WithRSAEncryption).
  • Issuer: The Distinguished Name (DN) of the Certificate Authority that issued the certificate.
  • Validity:
    • Not Before: The start date and time when the certificate becomes valid.
    • Not After: The expiration date and time.
  • Subject: The DN of the entity (e.g., server or user) that the certificate identifies.
  • Subject Public Key Info: Details about the public key (Algorithm and Modulus/Exponent for RSA).
  • X509v3 Extensions: Additional constraints and usage flags, such as:
    • Subject Key Identifier: Identifies the public key.
    • Authority Key Identifier: Identifies the issuer's public key.
    • Basic Constraints: Defines if the certificate is a CA (CA:TRUE)^[600-developer__tools__security__CA.md]。

Examples

A real-world inspection of a Root CA certificate (e.g., windows-root.cer) will reveal specific extensions critical for trust, such as the CA:TRUE flag in the Basic Constraints section^[600-developer__tools__security__CA.md]。 It will also display the specific Key Usage permissions, such as "Digital Signature," "Certificate Sign," and "CRL Sign"^[600-developer__tools__security__CA.md]。

  • [[Public Key Infrastructure]]: The framework managing the creation, distribution, and validation of certificates.
  • OpenSSL: The underlying toolkit used for the operations described.
  • [[Base64]]: The encoding often used for the ASCII representation of certificate data (PEM format).

Sources

^[600-developer__tools__security__CA.md]