openssl-x509

Display certificate information

$ openssl x509 -in [filename.crt] -noout -text

$ openssl x509 -enddate -noout -in [filename.pem]

$ openssl x509 -inform [der] -outform [pem] -in [original_certificate_file] -out [converted_certificate_file]

$ openssl x509 -in [certificate_file] -noout -pubkey -out [output_file]

openssl x509 [options]

-in filename
    Specifies the input certificate file. If not provided, input is read from standard input.

-out filename
    Specifies the output certificate file. If not provided, output is written to standard output.

-inform DER|PEM
    Specifies the input format. DER for binary Distinguished Encoding Rules, PEM for base64 encoded with headers/footers. Defaults to PEM.

-outform DER|PEM
    Specifies the output format. DER for binary, PEM for base64 encoded. Defaults to PEM.

-text
    Prints the certificate in human-readable text format, including all details.

-noout
    Prevents printing of the encoded version of the certificate to the output. Useful when only extracting specific information.

-subject
    Prints the subject (owner) Distinguished Name (DN) of the certificate.

-issuer
    Prints the issuer (signer) Distinguished Name (DN) of the certificate.

-dates
    Prints the certificate's validity period (notBefore and notAfter dates).

-startdate
    Prints the 'notBefore' validity date of the certificate.

-enddate
    Prints the 'notAfter' validity date of the certificate.

-serial
    Prints the certificate's serial number.

-hash
    Prints the subject hash (used for symlinking certificates in hash directories).

-fingerprint
    Prints the SHA1 fingerprint of the certificate.

-pubkey
    Extracts and prints the public key from the certificate.

-modulus
    Prints the modulus of the public key.

-req
    Indicates that the input is a Certificate Signing Request (CSR) instead of a certificate, typically used with signing options.

-signkey file
    Self-signs the certificate or CSR using the private key in file. Creates a self-signed certificate.

-CA file
    Signs a certificate request (CSR) with the CA certificate in file.

-CAkey file
    Specifies the private key of the CA certificate (used with -CA).

-CAserial file
    Specifies the file to use for CA serial numbers (used with -CA). If it does not exist, it will be created.

-days n
    Specifies the number of days for which a newly generated or signed certificate will be valid. Default is 30 days.

-set_serial n
    Sets the serial number of the certificate being signed to n. If not specified, a random serial number is generated (with -CA) or incremented (with -CAserial).

-x509toreq
    Converts a certificate into a certificate request (CSR).

-extfile file
    Specifies an OpenSSL configuration file containing certificate extensions to be added during signing.

-extensions section
    Specifies the section in the -extfile to read extensions from. Defaults to 'v3_ca' or 'v3_req' if not specified.

-clrext
    Clears any extensions from the certificate, typically when converting or self-signing.

-trustout
    Outputs a trusted certificate. This adds trust flags to the certificate.

-checkend seconds
    Checks if the certificate expires within the next seconds. Returns non-zero exit code if it does or is already expired.

The `openssl-x509` command is a powerful utility within the OpenSSL toolkit designed specifically for handling X.509 certificates. X.509 is a standard defining the format of public key certificates, which are fundamental to Public Key Infrastructure (PKI) used in secure communications like TLS/SSL, VPNs, and code signing.

This command allows users to perform a wide range of operations on certificates, including: displaying certificate contents in human-readable format, converting between different encoding formats (PEM and DER), extracting specific information (like subject, issuer, serial number, validity dates, public key), creating self-signed certificates, signing certificate requests (CSRs) with a Certificate Authority (CA), and performing basic certificate verification. It is an essential tool for system administrators, developers, and security professionals working with digital certificates and secure communication protocols.

Handling private keys and CA operations requires extreme care due to significant security implications. Mismanagement can lead to compromised systems or untrusted certificates. Always secure private keys and ensure proper permissions.

The behavior and available options of `openssl-x509` can vary slightly between different OpenSSL library versions. Consult the specific version's man page for precise details.

• Inspecting a website's certificate: `openssl s_client -connect example.com:443 -showcerts < /dev/null | openssl x509 -text -noout`
• Converting certificate formats: `openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM`
• Generating a self-signed certificate for testing: `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365` (Note: `openssl req` is often used for this combined process)
• Extracting a public key: `openssl x509 -in cert.pem -pubkey -noout > publickey.pem`

OpenSSL certificates can have associated 'trust' or 'reject' flags, indicating whether they should be trusted for specific purposes (e.g., SSL client, SSL server). The `openssl x509` command allows viewing (`-purpose`, `-trustout`) and manipulating (`-addtrust`, `-addreject`) these flags, which are crucial for defining trust policies in applications that use OpenSSL's certificate validation functions.

The `openssl-x509` command is an integral part of the OpenSSL project, which began in 1998 as a successor to the SSLeay library. It has evolved significantly over the years, mirroring the advancements and evolving security requirements of the X.509 standard and Public Key Infrastructure. Its development has consistently focused on providing a comprehensive and flexible toolset for managing digital certificates, which are critical components of secure communication protocols like TLS/SSL. Its continuous maintenance and updates ensure compatibility with new cryptographic algorithms and adherence to industry best practices.

openssl(1ssl), openssl-req(1ssl), openssl-genrsa(1ssl), openssl-gendsa(1ssl), openssl-ecparam(1ssl), openssl-rsa(1ssl), openssl-pkcs12(1ssl), openssl-crl(1ssl), openssl-verify(1ssl)