How to view all ssl certificates in a bundle?

ubuntu security ssl ssl-certificate openssl

192,721

Solution 1

http://comments.gmane.org/gmane.comp.encryption.openssl.user/43587 suggests this one-liner:

openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -text -noout

It indeed worked for me, but I don't understand the details so can't say if there are any caveats.

updated june 22:

for openssl 1.1.1 and higher: a single-command answer can be found here serverfault.com/a/1079893 (openssl storeutl -noout -text -certs bundle.crt)

Solution 2

Java's keytool does the trick:

keytool -printcert -v -file <certs.crt>

Annotation: Windows doubleclick does not work. Windows reads only the first certificate in the keystore and automatically extends the trustchain from its built in certificate store.

Results:

All beyond the first certificate in the .crt file are not shown
You may get a different trustchain displayed than you have in the .crt file. This may lead to wrong conclusions.

Solution 3

Oneliner that displays a summary of every certificate in the file.

openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -noout

It combines all the certificates into a single intermediate PKCS7 file, and then parses the information in each part of that file.

(The same as Beni's answer, but this gives shorter output, without the -text option).

example:

$ openssl crl2pkcs7 -nocrl -certfile bundled.crt | openssl pkcs7 -print_certs -noout

subject=/C=NL/postalCode=5705 CN/L=City/street=Example 20/O=Foobar B.V./OU=ICT/OU=Wildcard SSL/CN=*.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA

subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Roo

Solution 4

Following this FAQ led me to this perl script, which very strongly suggests to me that openssl has no native support for handling the n^th certificate in a bundle, and that instead we must use some tool to slice-and-dice the input before feeding each certificate to openssl. This perl script, freely adapted from Nick Burch's script linked above, seems to do the job:

#!/usr/bin/perl
# script for splitting multi-cert input into individual certs
# Artistic Licence
#
# v0.0.1         Nick Burch <[email protected]>
# v0.0.2         Tom Yates <[email protected]>
#

$filename = shift;
unless($filename) {
  die("You must specify a cert file.\n");
}
open INP, "<$filename" or die("Unable to load \"$filename\"\n");

$thisfile = "";

while(<INP>) {
   $thisfile .= $_;
   if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) {
      print "Found a complete certificate:\n";
      print `echo \'$thisfile\' | openssl x509 -noout -text`;
      $thisfile = "";
   }
}
close INP;

Solution 5

openssl storeutl -noout -text -certs bundle.crt

Paraphrasing from the OpenSSL documentation:

The openssl storeutl app was added in OpenSSL 1.1.1.

The storeutl command can be used to display the contents fetched from the given URIs.

-noout prevents output of the PEM data
-text prints out the objects in text form, like the -text output from openssl x509
-certs Only select the certificates from the given URI

View more solutions

192,721

pdeva

Updated on September 18, 2022

Comments

pdeva over 1 year

I have a certificate bundle .crt file.

doing openssl x509 -in bundle.crt -text -noout only shows the root certificate.

how do i see all the other certificates?
Raghu Dodda over 8 years

The print redirection feature in awk is available in gawk and nawk but not in basic awk. And so, this would work on Linux (gawk is linked as awk), but might not on OS X which has basic awk.
Chris Wolf about 8 years

This is the best answer - I won't even post my over-kill Python solution! Leave out the "-text" to just get subject/issuer info for each certificate.
Manav almost 8 years

Just for fun: cat bundle.crt | awk -v cmd="openssl x509 -subject -noout" '/-----BEGIN/ { c = $0; next } c { c = c "\n" $0 } /-----END/ { print c|cmd; close(cmd); c = 0 }'.
OrangeDog almost 7 years

Tried it on /etc/ssl/certs/ca-certificates.crt and got unable to load PKCS7 object
Nick.McDermaid over 6 years

Thanks for clarifying the windows thing. This was really confusing the hell out of me
Yetanotherjosh about 6 years

Isn't this for pkcs7 format, whereas the question is about x509 format bundles?
Beni Cherniavsky-Paskin about 6 years

It only uses pkcs7 as intermediate. Input is concatenated PEM.
FooBee about 6 years

This needs better explanations
Julien almost 5 years

@OrangeDog worked for me $ openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -noout | grep -c subject returned 152 on Ubuntu 16.04.5 LTS
kapad over 4 years

I've tested this command on a linux ca-bundle.crt file and can confirm that it works and displays the information for all the certs in the bundle.
Gavin S. Yancey over 4 years

I get Invalid command 'cr12pkcs7'; type "help" for a list. Does this require a new-ish version of openssl?
Gavin S. Yancey over 4 years

For the benefit of posterity, that's "CRL 2", not "CR 12" -- crl2pkcs7
Beni Cherniavsky-Paskin over 4 years

CRL stands for Certificate Revocation List, and 2 is "to", per the "foo2bar" convention. But we use it in -nocrl mode in which there is no CRL involved, just a set of certs.
ny195 almost 4 years

Wait, so openssl supports displaying multiple certs from a pkcs7 file but not from a pem file? That's really weird; I wonder why.
user2751502 over 3 years

...such as how this is different from serverfault.com/a/755815/27515
JelteF over 3 years

@larsks It's the same except for not having the -text flag. That way it spits out less info (most of which is probably useless to you)
dave_thompson_085 about 3 years

Simpler: awk <bundle.crt -v cmd="openssl x509 -whatever" '/^-----BEGIN/,/^-----END/ {print|cmd} /^-----END/ {close(cmd)}' and if there isn't extraneous material after the last PEM block (or you don't mind a spurious error message) you can omit the first range as well. (@Manav)
dave_thompson_085 about 3 years

print (and printf) redirection in awk is POSIX, and while I don't have Mac, it works in FreeBSD 10 awk and Solaris 11 both oawk and nawk, as well as GNU awk. But see serverfault.com/a/754668/216633 (and comments) for versions that don't need temp files.
marshel111 almost 3 years

when piped from stdin use -certfile /dev/stdin (if your shell supports it), e.g. : get the bundle | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -text -noout`
bjoster over 2 years

This does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review
Nikita Kipriyanov over 2 years

@bjoster, had you tried to run the said command? It seems this answer not only answers the question, it is the most correct answer, shortest, simplest and doing exactly what was asked.
ruckc over 2 years

This should definitely be the answer, though a few extra words describing the solution or demonstrating the solution would help.
bjoster over 2 years

This answer is (technically) on point, but an explanation what it does (and why) would be very helpful.
AnthonyK over 2 years

Wow - bjolster just went at you @gillyb yet this answer is exactly what I was looking for.
Admin almost 2 years

This answer is outdated. The (now) correct answer is below at serverfault.com/a/1079893/22361