Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed

OpenSSL get entire certificate chain from a domain or loop over entire chain in file

Published: 16-07-2024 18:30 | Author: Remy van Elst | Text only version of this article


The openssl x509 command can be used to get information from a certificate. If you supply a filename, the command will only use the topmost certificate in the file, not all certificates in the file, like in the case of a certificate chain. The openssl s_client -connect command can connect to a server and show all certificates served by that server. The command I'm providing in this snippet splits up all certificates found in a file or as the result of openssl s_client and allows openssl x509 to loop over each one individually.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!

The command I use to print the entire certificate chain from a domain is the following:

OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect raymii.org:443 -showcerts -tlsextdebug 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/{/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -subject -issuer  -ext subjectAltName; echo; done; IFS=$OLDIFS

Output:

subject=CN = raymii.org
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
X509v3 Subject Alternative Name:
    DNS:raymii.org, DNS:www.raymii.org

subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
No extensions in certificate

subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
No extensions in certificate

If you have the certificates in a local file, for this example chain.pem, this is the command:

OLDIFS=$IFS; IFS=':' certificates=$(sed -n '/-----BEGIN/,/-----END/{/-----BEGIN/ s/^/:/; p}' chain.pem); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -subject; echo; done; IFS=$OLDIFS

Output:

subject=CN = raymii.org

subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

You can replace the openssl x509 -noout -subject -issuer -ext subjectAltName by any option supported by openssl x509. For this example I choose to echo the subject, issuer and subjectAlternativeNames but you get the gist.

Here's a breakdown of what the script does:

  • OLDIFS=$IFS; IFS=':' - This changes the Internal Field Separator (IFS) to :. The IFS is a special shell variable used for word splitting after expansion and to split lines into words with the read built-in command. The original IFS is saved in OLDIFS to restore it later.

  • certificates=$(openssl s_client [...] | sed -n '/-----BEG[...] s/^/:/; p}') - This uses the openssl command to connect to google.nl on port 443 and extract the SSL certificates. The sed command is used to format the output so that each certificate starts with a :.

  • for certificate in ${certificates#:}; do echo [...] - This loops over each certificate (split by : due to the IFS) and uses openssl to extract the subject alternative name, subject, and issuer of each certificate.

  • IFS=$OLDIFS - This restores the original IFS.

Tags: certificates , chain , openssl , pki , private-key , public-key , s_client , snippets , ssl