La commande suivante affiche toutes les informations du certificat indiqué :
$ openssl x509 -text -in mycert.pem
Qui a émis le certificat ?
$ openssl x509 -noout -in mycert.pem -issuer
issuer= /C=FR/ST=Loire Atlantique/L=Ancenis/CN=www.monsite.fr/emailAddress=toto@gmail.com
Pour qui a-t-il été émis ?
$ openssl x509 -noout -in mycert.pem -subject
subject= /C=FR/ST=Loire Atlantique/L=Ancenis/CN=www.monsite.fr/emailAddress=toto@gmail.com
Quelle est sa période de validité ?
$ openssl x509 -noout -in mycert.pem -dates
notBefore=Apr 9 15:28:28 2013 GMT
notAfter=Apr 9 15:28:28 2014 GMT
Toutes les infos précédentes :
$ openssl x509 -noout -in mycert.pem -issuer -subject -dates
issuer= /C=FR/ST=Loire Atlantique/L=Ancenis/CN=www.monsite.fr/emailAddress=toto@gmail.com
subject= /C=FR/ST=Loire Atlantique/L=Ancenis/CN=www.monsite.fr/emailAddress=toto@gmail.com
notBefore=Apr 9 15:28:28 2013 GMT
notAfter=Apr 9 15:28:28 2014 GMT
Quelle est sa valeur de hachage ?
$ openssl x509 -noout -in mycert.pem -hash
bf163efd
Quelle est son empreinte MD5 ?
$ openssl x509 -noout -in mycert.pem -fingerprint
SHA1 Fingerprint=C1:CD:DD:29:D1:8D:23:63:6D:3F:71:AD:7E:29:DE:26:FF:D4:11:17
Et à partir d'un certificat d'un site internet (plus de détail openssl : Récupérer un certificat distant)
$ echo | openssl s_client -connect quennec.fr:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout -in -
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:f8:64:c9:8c:bb:f8:c9:6a:fd:3f:b9:b2:42:a0:c5:9c:ab
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Mar 11 07:02:14 2024 GMT
Not After : Jun 9 07:02:13 2024 GMT
Subject: CN = quennec.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b3:d3:a3:d3:f3:2c:f8:75:d0:71:5f:8f:8d:c4:
...
83:f0:69:50:7a:fe:ce:a5:48:64:e1:5a:41:a0:a3:
8b:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
F0:5D:1D:A5:87:7D:61:1D:AB:74:A4:DE:14:34:F4:D7:3A:52:56:F5
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.quennec.fr, DNS:quennec.fr
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B:
67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17
Timestamp : Mar 11 08:02:14.835 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:C6:D5:B3:6D:A4:45:49:25:9B:47:C9:
21:20:61:57:67:E9:EB:5A:EB:3F:80:87:3E:EF:41:F6:
7C:CD:2C:46:61:02:21:00:D8:27:12:05:AF:5E:9A:0D:
91:E9:DA:C5:5A:27:27:25:1D:31:56:A3:6D:4D:26:21:
5D:E9:08:B0:5F:1E:5F:88
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
Timestamp : Mar 11 08:02:14.890 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:41:9E:16:0F:BF:95:4F:FA:23:4F:A4:06:
...
0F:CB:99:8B:E9:87
Signature Algorithm: sha256WithRSAEncryption
0c:dd:53:bc:97:e0:18:39:94:19:fa:28:7c:67:b9:35:a4:ca:
...
04:ee:d9:9