LinuxCommandLibrary

openssl-x509

Display and manipulate X.509 certificates

TLDR

Display certificate information

$ openssl x509 -in [filename.crt] -noout -text
copy

Display a certificate's expiration date
$ openssl x509 -enddate -noout -in [filename.pem]
copy

Convert a certificate between binary DER encoding and textual PEM encoding
$ openssl x509 -inform [der] -outform [pem] -in [original_certificate_file] -out [converted_certificate_file]
copy

Store a certificate's public key in a file
$ openssl x509 -in [certificate_file] -noout -pubkey -out [output_file]
copy

SYNOPSIS

openssl x509 [-help] [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-serial] [-hash] [-subject_hash] [-issuer_hash] [-nameopt option] [-email] [-startdate] [-enddate] [-noout] [-text] [-purpose] [-dates] [-checkend arg] [-modulus] [-fingerprint] [-alias arg] [-trustout] [-clrtrust arg] [-addtrust arg] [-CApath directory] [-CAfile filename] [-CAfile directory] [-req] [-signkey filename] [-days arg] [-set_serial n] [-extfile filename] [-extensions section] [-copy_extensions none|copyall|copyrequest] [-preserveDN] [-x509toreq] [-pubkey] [-no_header] [-no_version] [-no_serial] [-no_signame] [-no_validity] [-no_subject] [-no_issuer] [-no_pubkey] [-certopt option] [-policy arg] [-engine id] [-rand file...] [-writeraw]

PARAMETERS

-help
    Display a brief usage summary.

-inform PEM|DER
    Specify the input format (PEM or DER). Defaults to PEM.

-outform PEM|DER
    Specify the output format (PEM or DER). Defaults to PEM.

-in filename
    Specify the input certificate file.

-out filename
    Specify the output file.

-serial
    Print the certificate serial number.

-hash
    Print the certificate hash (subject hash).

-subject_hash
    Synonym for -hash.

-issuer_hash
    Print the issuer hash.

-nameopt option
    Specify the name options.

-email
    Print email addresses contained in the certificate.

-startdate
    Print the certificate start date.

-enddate
    Print the certificate end date.

-noout
    Do not print the encoded version of the certificate.

-text
    Print the full text version of the certificate.

-purpose
    Check the certificate against the intended purpose.

-dates
    Print start and end dates.

-checkend arg
    Check if the certificate expires within arg seconds.

-modulus
    Print the public key modulus.

-fingerprint
    Print the certificate fingerprint.

-alias arg
    Set the certificate alias.

-trustout
    Output a trusted certificate.

-clrtrust arg
    Remove trust flag.

-addtrust arg
    Add trust flag.

-CApath directory
    Specify the CA path.

-CAfile filename
    Specify the CA file.

-req
    Treat the input as a certificate request.

-signkey filename
    Sign the certificate request with the specified key.

-days arg
    Number of days until the certificate expires.

-set_serial n
    Set the serial number.

-extfile filename
    Specify the extensions file.

-extensions section
    Specify the extensions section.

-copy_extensions none|copyall|copyrequest
    Copy extensions.

-preserveDN
    Preserve DN.

-x509toreq
    Convert certificate to request.

-pubkey
    Output public key.

-no_header
    Suppress header.

-no_version
    Suppress version information.

-no_serial
    Suppress serial number information.

-no_signame
    Suppress signature algorithm name.

-no_validity
    Suppress validity dates information.

-no_subject
    Suppress subject name information.

-no_issuer
    Suppress issuer name information.

-no_pubkey
    Suppress public key information.

-certopt option
    Specify certificate output options.

-policy arg
    Specify policy.

-engine id
    Specify engine id.

-rand file...
    Specify random file.

-writeraw
    Write raw output.

DESCRIPTION

The openssl x509 command is a powerful tool within the OpenSSL suite used for displaying, verifying, and converting X.509 certificates. It allows users to examine the contents of certificates, including details like subject, issuer, validity period, and public key information. The command can also be used to convert certificates between different formats (e.g., PEM, DER). It's crucial for debugging certificate-related issues, extracting information from certificates for scripting purposes, and verifying the integrity of digital certificates. The command supports various options for controlling the output format and the information displayed.
openssl x509 is essential for anyone working with SSL/TLS, digital signatures, or public key infrastructure (PKI).

COMMON USAGE EXAMPLES

Displaying certificate information: openssl x509 -in certificate.pem -text -noout
Converting a certificate from DER to PEM format: openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM

SEE ALSO

openssl(1), openssl-req(1), openssl-ca(1), openssl-verify(1)

Copied to clipboard