How to view all ssl certificates in a bundle?
Solution 1
http://comments.gmane.org/gmane.comp.encryption.openssl.user/43587 suggests this one-liner:
openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -text -noout
It indeed worked for me, but I don't understand the details so can't say if there are any caveats.
updated june 22:
for openssl 1.1.1 and higher: a single-command answer can be found here serverfault.com/a/1079893 (openssl storeutl -noout -text -certs bundle.crt
)
Solution 2
Java's keytool
does the trick:
keytool -printcert -v -file <certs.crt>
Annotation: Windows doubleclick does not work. Windows reads only the first certificate in the keystore and automatically extends the trustchain from its built in certificate store.
Results:
- All beyond the first certificate in the
.crt
file are not shown - You may get a different trustchain displayed than you have in the
.crt
file. This may lead to wrong conclusions.
Solution 3
Oneliner that displays a summary of every certificate in the file.
openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -noout
It combines all the certificates into a single intermediate PKCS7 file, and then parses the information in each part of that file.
(The same as Beni's answer, but this gives shorter output, without the -text
option).
example:
$ openssl crl2pkcs7 -nocrl -certfile bundled.crt | openssl pkcs7 -print_certs -noout
subject=/C=NL/postalCode=5705 CN/L=City/street=Example 20/O=Foobar B.V./OU=ICT/OU=Wildcard SSL/CN=*.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Roo
Solution 4
Following this FAQ led me to this perl script, which very strongly suggests to me that openssl
has no native support for handling the nth certificate in a bundle, and that instead we must use some tool to slice-and-dice the input before feeding each certificate to openssl
. This perl script, freely adapted from Nick Burch's script linked above, seems to do the job:
#!/usr/bin/perl
# script for splitting multi-cert input into individual certs
# Artistic Licence
#
# v0.0.1 Nick Burch <[email protected]>
# v0.0.2 Tom Yates <[email protected]>
#
$filename = shift;
unless($filename) {
die("You must specify a cert file.\n");
}
open INP, "<$filename" or die("Unable to load \"$filename\"\n");
$thisfile = "";
while(<INP>) {
$thisfile .= $_;
if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) {
print "Found a complete certificate:\n";
print `echo \'$thisfile\' | openssl x509 -noout -text`;
$thisfile = "";
}
}
close INP;
Solution 5
openssl storeutl -noout -text -certs bundle.crt
Paraphrasing from the OpenSSL documentation:
The openssl storeutl
app was added in OpenSSL 1.1.1.
The storeutl
command can be used to display the contents fetched from the given URIs.
-
-noout
prevents output of the PEM data -
-text
prints out the objects in text form, like the-text
output fromopenssl x509
-
-certs
Only select the certificates from the given URI
Related videos on Youtube
pdeva
Updated on September 18, 2022Comments
-
pdeva over 1 year
I have a certificate bundle .crt file.
doing
openssl x509 -in bundle.crt -text -noout
only shows the root certificate.how do i see all the other certificates?
-
Raghu Dodda over 8 yearsThe print redirection feature in awk is available in gawk and nawk but not in basic awk. And so, this would work on Linux (gawk is linked as awk), but might not on OS X which has basic awk.
-
Chris Wolf about 8 yearsThis is the best answer - I won't even post my over-kill Python solution! Leave out the "-text" to just get subject/issuer info for each certificate.
-
Manav almost 8 yearsJust for fun:
cat bundle.crt | awk -v cmd="openssl x509 -subject -noout" '/-----BEGIN/ { c = $0; next } c { c = c "\n" $0 } /-----END/ { print c|cmd; close(cmd); c = 0 }'
. -
OrangeDog almost 7 yearsTried it on
/etc/ssl/certs/ca-certificates.crt
and gotunable to load PKCS7 object
-
Nick.McDermaid over 6 yearsThanks for clarifying the windows thing. This was really confusing the hell out of me
-
Yetanotherjosh about 6 yearsIsn't this for pkcs7 format, whereas the question is about x509 format bundles?
-
Beni Cherniavsky-Paskin about 6 yearsIt only uses pkcs7 as intermediate. Input is concatenated PEM.
-
FooBee about 6 yearsThis needs better explanations
-
Julien almost 5 years@OrangeDog worked for me
$ openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -noout | grep -c subject
returned152
onUbuntu 16.04.5 LTS
-
kapad over 4 yearsI've tested this command on a linux
ca-bundle.crt
file and can confirm that it works and displays the information for all the certs in the bundle. -
Gavin S. Yancey over 4 yearsI get
Invalid command 'cr12pkcs7'; type "help" for a list.
Does this require a new-ish version of openssl? -
Gavin S. Yancey over 4 yearsFor the benefit of posterity, that's "CRL 2", not "CR 12" --
crl2pkcs7
-
Beni Cherniavsky-Paskin over 4 yearsCRL stands for Certificate Revocation List, and 2 is "to", per the "foo2bar" convention. But we use it in
-nocrl
mode in which there is no CRL involved, just a set of certs. -
ny195 almost 4 yearsWait, so openssl supports displaying multiple certs from a pkcs7 file but not from a pem file? That's really weird; I wonder why.
-
user2751502 over 3 years...such as how this is different from serverfault.com/a/755815/27515
-
JelteF over 3 years@larsks It's the same except for not having the
-text
flag. That way it spits out less info (most of which is probably useless to you) -
dave_thompson_085 about 3 yearsSimpler:
awk <bundle.crt -v cmd="openssl x509 -whatever" '/^-----BEGIN/,/^-----END/ {print|cmd} /^-----END/ {close(cmd)}'
and if there isn't extraneous material after the last PEM block (or you don't mind a spurious error message) you can omit the first range as well. (@Manav) -
dave_thompson_085 about 3 yearsprint (and printf) redirection in awk is POSIX, and while I don't have Mac, it works in FreeBSD 10 awk and Solaris 11 both oawk and nawk, as well as GNU awk. But see serverfault.com/a/754668/216633 (and comments) for versions that don't need temp files.
-
marshel111 almost 3 yearswhen piped from stdin use
-certfile /dev/stdin
(if your shell supports it), e.g. : get the bundle | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -text -noout` -
bjoster over 2 yearsThis does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review
-
Nikita Kipriyanov over 2 years@bjoster, had you tried to run the said command? It seems this answer not only answers the question, it is the most correct answer, shortest, simplest and doing exactly what was asked.
-
ruckc over 2 yearsThis should definitely be the answer, though a few extra words describing the solution or demonstrating the solution would help.
-
bjoster over 2 yearsThis answer is (technically) on point, but an explanation what it does (and why) would be very helpful.
-
AnthonyK over 2 yearsWow - bjolster just went at you @gillyb yet this answer is exactly what I was looking for.
-
Admin almost 2 yearsThis answer is outdated. The (now) correct answer is below at serverfault.com/a/1079893/22361