Can it be found out, what websites/domains an SSL (pem) certificate approves of?

ssl certificate openssl

5,798

The valid domain names for a certificate are stipulated in two places.

First is the Common Name (CN) which is part of the Subject field. There is only space for one name here, which means it can be a fixed name, such as www.example.com or a wildcard such as *.example.com.

The second is the Subject Alternate Name (SAN) extension, which lists additional names that the certificate is valid for. There are many options for the SAN field, but the one you'll be interested in is DNS.

If you look at the certificate GUI of most browsers, you should see both the Subject and the SAN fields.

To view them using OpenSSL simply run:

$ openssl x509 -noout -text -nameopt multiline -in <cert file>

Note that the -nameopt multiline is optional but makes it easier to read. The following example is from ssl.com as it contains a good example of the SAN:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            23:dd:f6:40:e2:ad:3f:24:2f:31:9c:c6:48:db:64:92
    Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            countryName               = US
            organizationName          = SSL.com
            organizationalUnitName    = Controlled by COMODO exclusively for SSL.com
            organizationalUnitName    = www.ssl.com
            commonName                = SSL.com Premium EV CA
        Validity
            Not Before: Mar 11 00:00:00 2016 GMT
            Not After : Nov 18 23:59:59 2016 GMT
        Subject:
            serialNumber              = NV20081614243
            jurisdictionCountryName   = US
            jurisdictionStateOrProvinceName = Texas
            jurisdictionLocalityName  = Houston
            businessCategory          = Private Organization
            countryName               = US
            postalCode                = 77025
            stateOrProvinceName       = Texas
            localityName              = Houston
            streetAddress             = Suite 286C
            streetAddress             = 2617 W Holcombe Blvd
            organizationName          = SSL Corp
            organizationalUnitName    = Security
            organizationalUnitName    = COMODO EV Multi-Domain SSL
            commonName                = www.ssl.com
        Subject Public Key Info:
...
            X509v3 Subject Alternative Name: 
                DNS:www.ssl.com, DNS:answers.ssl.com, DNS:faq.ssl.com, DNS:info.ssl.com, DNS:links.ssl.com, DNS:reseller.ssl.com, DNS:secure.ssl.com, DNS:ssl.com, DNS:support.ssl.com, DNS:sws.ssl.com, DNS:tools.ssl.com
...

Only the commonName Subject field is used as the name of the domain; all the other entries within Subject, such as the organizationalUnitName are irrelevant, even though they look like domain names.

To retrieve all the certs and save them, try:

$ openssl s_client -showcerts -connect www.ssl.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | csplit - -z -f cert- '/-END CERTIFICATE-/1' '{*}'

5,798

The Quantum Physicist

Updated on September 18, 2022

Comments

The Quantum Physicist over 1 year

A (non-wildcard) SSL certificate can be issued to match multiple domains and subdomains, like mysub1.example1.com, www.example2.com, and many others, all in one certificate with the same private key.

Is it possible to get the list of domains for which a certificate is valid? How? Is that possible from a browser, or should I use the OpenSSL CLI?

Please ask for more information if you need it. Honestly I don't know how to put the question in clear words and I'm willing to improve it.
The Quantum Physicist almost 8 years

Thank you for the response. Can this be done without downloading the certificate manually? Could you please provide the command that would do this with openssl s_client connect?
garethTheRed almost 8 years

While openssl s_client -show-certs -connect www.ssl.com:443 will show the Subject and Issuer of all remote certificates in a chain, it won't show any extensions, therefore you won't be able to see the SAN. Similarly, gnutls-cli -print-certs www.ssl.com </dev/null displays the Subject and Issuer, but no SANs.
The Quantum Physicist almost 8 years

Last question. Could you please provide a way to download a certificate using openssl (or any other command line method)? Thanks.
garethTheRed almost 8 years

Pipe the output of either of the two commands in my previous comment to sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > out.pem. out.pem will probably contain more than one certificate. You'll need to split them into individual files if you want to run them through the openssl x509 ... command in my answer otherwise only the first certificate will be displayed.
jww over 7 years

"... The valid domain names for a certificate are stipulated in two places ... first is the Common Name (CN) which is part of the Subject field" - Placing a hostname in the CN is deprecated by both the IETF and CA/B Forums. If a hostname is in the CN, then it must be listed in the SAN, too. There's no need to check the CN unless its a malformed certificate.
garethTheRed over 7 years

@jww - Indeed, but if the certificate doesn't contain a SAN, it is still a valid certificate and the only place a relying party can check is the Subject CommonName.