openssl-x509
Display and manipulate X.509 certificates
TLDR
Display certificate information
Display a certificate's expiration date
Convert a certificate between binary DER encoding and textual PEM encoding
Store a certificate's public key in a file
SYNOPSIS
openssl x509 [-help] [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-serial] [-hash] [-subject_hash] [-issuer_hash] [-nameopt option] [-email] [-startdate] [-enddate] [-noout] [-text] [-purpose] [-dates] [-checkend arg] [-modulus] [-fingerprint] [-alias arg] [-trustout] [-clrtrust arg] [-addtrust arg] [-CApath directory] [-CAfile filename] [-CAfile directory] [-req] [-signkey filename] [-days arg] [-set_serial n] [-extfile filename] [-extensions section] [-copy_extensions none|copyall|copyrequest] [-preserveDN] [-x509toreq] [-pubkey] [-no_header] [-no_version] [-no_serial] [-no_signame] [-no_validity] [-no_subject] [-no_issuer] [-no_pubkey] [-certopt option] [-policy arg] [-engine id] [-rand file...] [-writeraw]
PARAMETERS
-help
Display a brief usage summary.
-inform PEM|DER
Specify the input format (PEM or DER). Defaults to PEM.
-outform PEM|DER
Specify the output format (PEM or DER). Defaults to PEM.
-in filename
Specify the input certificate file.
-out filename
Specify the output file.
-serial
Print the certificate serial number.
-hash
Print the certificate hash (subject hash).
-subject_hash
Synonym for -hash.
-issuer_hash
Print the issuer hash.
-nameopt option
Specify the name options.
-email
Print email addresses contained in the certificate.
-startdate
Print the certificate start date.
-enddate
Print the certificate end date.
-noout
Do not print the encoded version of the certificate.
-text
Print the full text version of the certificate.
-purpose
Check the certificate against the intended purpose.
-dates
Print start and end dates.
-checkend arg
Check if the certificate expires within arg seconds.
-modulus
Print the public key modulus.
-fingerprint
Print the certificate fingerprint.
-alias arg
Set the certificate alias.
-trustout
Output a trusted certificate.
-clrtrust arg
Remove trust flag.
-addtrust arg
Add trust flag.
-CApath directory
Specify the CA path.
-CAfile filename
Specify the CA file.
-req
Treat the input as a certificate request.
-signkey filename
Sign the certificate request with the specified key.
-days arg
Number of days until the certificate expires.
-set_serial n
Set the serial number.
-extfile filename
Specify the extensions file.
-extensions section
Specify the extensions section.
-copy_extensions none|copyall|copyrequest
Copy extensions.
-preserveDN
Preserve DN.
-x509toreq
Convert certificate to request.
-pubkey
Output public key.
-no_header
Suppress header.
-no_version
Suppress version information.
-no_serial
Suppress serial number information.
-no_signame
Suppress signature algorithm name.
-no_validity
Suppress validity dates information.
-no_subject
Suppress subject name information.
-no_issuer
Suppress issuer name information.
-no_pubkey
Suppress public key information.
-certopt option
Specify certificate output options.
-policy arg
Specify policy.
-engine id
Specify engine id.
-rand file...
Specify random file.
-writeraw
Write raw output.
DESCRIPTION
The openssl x509 command is a powerful tool within the OpenSSL suite used for displaying, verifying, and converting X.509 certificates. It allows users to examine the contents of certificates, including details like subject, issuer, validity period, and public key information. The command can also be used to convert certificates between different formats (e.g., PEM, DER). It's crucial for debugging certificate-related issues, extracting information from certificates for scripting purposes, and verifying the integrity of digital certificates. The command supports various options for controlling the output format and the information displayed.
openssl x509 is essential for anyone working with SSL/TLS, digital signatures, or public key infrastructure (PKI).
COMMON USAGE EXAMPLES
Displaying certificate information: openssl x509 -in certificate.pem -text -noout
Converting a certificate from DER to PEM format: openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM
SEE ALSO
openssl(1), openssl-req(1), openssl-ca(1), openssl-verify(1)