Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
727 views
in Technique[技术] by (71.8m points)

openssl - How to Check Subject Alternative Names for a SSL/TLS Certificate?

Is there a way to programmatically check the Subject Alternative Names of a SAN SSL cert?

Using, for instance, the following command I can get many info but not all the SANs:

openssl s_client -connect www.website.com:443 

Thank you very much!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

To get the Subject Alternative Names (SAN) for a certificate, use the following command:

openssl s_client -connect website.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:

First, this command connects to the site we want (website.com, port 443 for SSL):

openssl s_client -connect website.com:443

Then pipe (|) that into this command:

openssl x509 -noout -text

This takes the certificate file and outputs all its juicy details. The -noout flag keeps it from outputting the (base64-encoded) certificate file itself, which we don't need. The -text flag tells it to output the certificate details in text form.

Normally there's a whole lot of output (signature, issuer, extensions, etc) that we don't care about, so then we pipe that into a simple grep:

grep DNS:

Since the SAN entries begin with DNS: this simply returns only the lines that contain that, stripping out all the other info and leaving us with the desired information.

You may note that the command does not cleanly exit; openssl s_client actually acts as a client and leaves the connection open, waiting for input. If you want it to immediately exit (e.g. to parse the output in a shell script) simply pipe echo into it:

echo | openssl s_client -connect website.com:443 | openssl x509 -noout -text | grep DNS:

How do I get the SAN directly from a file?

For this, you don't need the openssl s_client command. Just add -in MyCertificate.crt on the openssl x509 command and once again pipe through grep, e.g.:

openssl x509 -noout -text -in MyCertificate.crt | grep DNS:

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...