`openssl`: Subject Alternative Name
Solution 1
This might not work under every circumstance, but try
openssl s_client -connect google.com:443 2>&1 | openssl x509 -text | grep DNS
Solution 2
What @stuart-p-bentley wrote got me thinking and I came up with this way of getting a comma delimited list of "Subject Alternative Names" using openssl
, awk
and tr
. The sed line in his answer does not work on FreeBSD per example.
openssl s_client -connect google.com:443 2>&1 | openssl x509 -text | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:"
Here is what you get with google.com
*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com
Solution 3
Here's a version that will work in every circumstance (and strips leading space):
openssl s_client -connect google.com:443 2>&1 | openssl x509 -text |
sed -nr '/^ {12}X509v3 Subject Alternative Name/{n;s/^ *//p}'
Mathias Bynens
I work on Chrome and web standards at Google. ♥ JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, macOS.
Updated on September 18, 2022Comments
-
Mathias Bynens over 1 year
I wrote this bit of code to get the Common Name of the subject field in the SSL certificate for a given domain:
$ echo -e "GET / HTTP/1.1\nEOT" | \ openssl s_client -connect google.com:443 2>&1 | \ grep subject subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
However, this only gives me the “subject” value. Alternative CNs may be listed in the “Subject Alternative Name” field. For example:
So, how can I get the value of the Subject Alternative Name field in Bash?
-
Mathias Bynens about 11 yearsThanks so much!
openssl x509 -text
is what I was looking for. I guess I was Googling for the wrong keywords. -
Mathias Bynens over 9 yearsCan you be more specific about what kind of issues this works around (that the other answer doesn’t)? Thanks!
-
Andor over 9 yearsUnlike the other answer, this doesn't inadvertently include other fields that contain "DNS" (such as what you could encounter running the other answer for the certificate of a service that provides DNS).
-
Andor over 9 years
tr -d "DNS:"
is not a good solution to get all the domains in the SAN, as the SAN field may contain other kinds of values than DNS, such as IP addresses. I don't know how you'd do it with awk, butsed -nr '/^ {12}X509v3 Subject Alternative Name/{n; s/(^|,) *DNS:/,/g; s/(^|,) [^,]*//gp}'
is how I did it with sed here. -
Andor over 9 yearsThe equivalent awk translation would probably be
awk '/^ {12}X509v3 Subject Alternative Name/ {getline; gsub(/(^|,) *DNS:/, ",", $0); gsub(/(^|,) [^,]*/, "", $0); print}'
, though I don't know why that would be any better than using sed (I can't see why the sed wouldn't work on FreeBSD, unless you need to use-nE
instead of-nr
due to being on an old version). -
Andor almost 9 yearsAnother reason
tr -d "DNS:"
is not a good solution is becausetr -d
deletes sets of characters, not strings. You might as well dotr -d ":A-Z"
. (While you're at it, throw out thegsub(/ /, "", $0);
and add spaces to the set for deletion. Or just do all your deletion in theawk
command in the first place, where you can do it with strings and patterns - at which point you reach my previous comment's code.) -
Andor almost 9 years(The code referenced at the end of my first comment has moved to github.com/plushu/plushu-app-nginx-servers/blob/master/hooks/… .)