x509.1s

openssl x509 [options]

-in filename
    Specifies the input certificate file. Defaults to standard input if not provided.

-out filename
    Specifies the output file for operations. Defaults to standard output.

-inform format
    Sets the input format (PEM or DER).

-outform format
    Sets the output format (PEM or DER).

-text
    Prints the certificate in human-readable text format, showing all its fields.

-noout
    Prevents the output of the encoded version of the certificate. Useful when only printing text details or fingerprints.

-subject
    Prints the certificate's subject distinguished name.

-issuer
    Prints the certificate's issuer distinguished name.

-startdate
    Prints the certificate's not-before validity date.

-enddate
    Prints the certificate's not-after validity date.

-fingerprint
    Prints the certificate's SHA1 fingerprint.

-sha256
    Prints the certificate's SHA256 fingerprint.

-req
    Indicates that the input is a Certificate Signing Request (CSR) rather than a certificate.

-signkey file
    Self-signs the input request (or certificate) using the private key in file.

-CA file
    Specifies the CA certificate to sign the new certificate.

-CAkey file
    Specifies the CA private key to sign the new certificate.

-days num
    Sets the number of days for which a newly signed certificate will be valid.

The x509 command, a powerful subcommand of the openssl utility, is primarily used for X.509 certificate display, signing, and management. It allows users to parse, print, and convert certificate information, including details about the issuer, subject, validity period, and extensions. Beyond viewing, it's instrumental in tasks like self-signing certificates, generating Certificate Signing Requests (CSRs), and acting as a basic Certificate Authority (CA) for issuing new certificates. It supports both PEM and DER formats, making it versatile for interacting with various certificate-related files. This tool is essential for system administrators, developers, and anyone working with secure communications and public key infrastructure (PKI). It provides deep insights into the structure and content of digital certificates, crucial for debugging and validation.

• Private Key Handling: When self-signing or acting as a CA, ensuring the private keys used (via -signkey or -CAkey) are securely stored and protected is paramount. Exposure of these keys compromises the security of the signed certificates.
• Validity Period: Always specify appropriate validity periods (using -days) for certificates to mitigate risks associated with long-lived credentials and to enforce regular key rotation.
• Extensions: The x509 command provides basic signing capabilities. For complex certificate extensions (e.g., Key Usage, Extended Key Usage, Subject Alternative Name), it's often more practical to use a configuration file with openssl req or openssl ca.
• Trust Management: While x509 can manage trust flags, its primary role is not a full-fledged trust store manager. For system-wide trust, other tools or system configurations are usually preferred.

• Viewing Certificate Details:
  openssl x509 -in certificate.pem -text -noout
  This command displays all the human-readable details of a certificate stored in certificate.pem.
  
  
• Extracting Subject and Issuer:
  openssl x509 -in certificate.pem -noout -subject -issuer
  Prints only the subject and issuer distinguished names.
  
  
• Self-Signing a Certificate:
  openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr
openssl x509 -req -in request.csr -signkey private.key -out certificate.pem -days 365
  The first command generates a private key and a CSR. The second uses x509 to self-sign that CSR into a certificate valid for 365 days using the same private key.
  
  
• Checking Certificate Expiry:
  openssl x509 -in certificate.pem -noout -enddate
  Prints the expiration date. To check if it expires within, say, 30 days:
  openssl x509 -in certificate.pem -checkend 2592000 (where 2592000 is 30 days in seconds)

The x509 utility is an integral part of the OpenSSL project, a robust, commercial-grade, full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. OpenSSL was originally based on SSLeay, developed by Eric A. Young and Tim J. Hudson. The x509 command has been a core component since the early days of OpenSSL, providing the fundamental capabilities for interacting with X.509 digital certificates, which are central to PKI and secure communication on the internet. Its development has mirrored the evolution of cryptographic standards and the widespread adoption of SSL/TLS.

openssl(1ssl), req(1ssl), ca(1ssl), pkcs12(1ssl), crl(1ssl)