Raymii.org
Quis custodiet ipsos custodes?Home | About | All pages | Cluster Status | RSS Feed
OpenSSL get entire certificate chain from a domain or loop over entire chain in file
Published: 16-07-2024 18:30 | Author: Remy van Elst | Text only version of this article
The openssl x509
command can be used to get information from a certificate. If you supply a filename, the command will only use the topmost certificate in the file, not all certificates in the file, like in the case of a certificate chain. The openssl s_client -connect
command can connect to a server and show all certificates served by that server. The command I'm providing in this snippet splits up all certificates found in a file or as the result of openssl s_client
and allows openssl x509
to loop over each one individually.
Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:
I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!
Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.
You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!
The command I use to print the entire certificate chain from a domain is the following:
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect raymii.org:443 -showcerts -tlsextdebug 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/{/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -subject -issuer -ext subjectAltName; echo; done; IFS=$OLDIFS
Output:
subject=CN = raymii.org
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
X509v3 Subject Alternative Name:
DNS:raymii.org, DNS:www.raymii.org
subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
No extensions in certificate
subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
No extensions in certificate
If you have the certificates in a local file, for this example chain.pem
, this is the command:
OLDIFS=$IFS; IFS=':' certificates=$(sed -n '/-----BEGIN/,/-----END/{/-----BEGIN/ s/^/:/; p}' chain.pem); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -subject; echo; done; IFS=$OLDIFS
Output:
subject=CN = raymii.org
subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
You can replace the openssl x509 -noout -subject -issuer -ext subjectAltName
by any option supported by openssl x509
. For this example I choose to echo
the subject
, issuer
and subjectAlternativeNames
but you get the gist.
Here's a breakdown of what the script does:
OLDIFS=$IFS; IFS=':'
- This changes the Internal Field Separator (IFS) to:
. The IFS is a special shell variable used for word splitting after expansion and to split lines into words with the read built-in command. The originalIFS
is saved inOLDIFS
to restore it later.certificates=$(openssl s_client [...] | sed -n '/-----BEG[...] s/^/:/; p}')
- This uses theopenssl
command to connect togoogle.nl
on port 443 and extract the SSL certificates. Thesed
command is used to format the output so that each certificate starts with a:
.for certificate in ${certificates#:}; do echo [...]
- This loops over each certificate (split by:
due to theIFS
) and usesopenssl
to extract the subject alternative name, subject, and issuer of each certificate.IFS=$OLDIFS
- This restores the originalIFS
.