Raymii.org
Quis custodiet ipsos custodes?Home | About | All pages | Cluster Status | RSS Feed
OpenSSL get entire certificate chain from a domain or loop over entire chain in file
Published: 16-07-2024 18:30 | Author: Remy van Elst | Text only version of this article
The openssl x509
command can be used to get information from a certificate. If you supply a filename, the command will only use the topmost certificate in the file, not all certificates in the file, like in the case of a certificate chain. The openssl s_client -connect
command can connect to a server and show all certificates served by that server. The command I'm providing in this snippet splits up all certificates found in a file or as the result of openssl s_client
and allows openssl x509
to loop over each one individually.
Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below. It means the world to me if you show your appreciation and you'll help pay the server costs:
GitHub Sponsorship
PCBWay referral link (You get $5, I get $20 after you've placed an order)
Digital Ocea referral link ($200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!)
The command I use to print the entire certificate chain from a domain is the following:
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect raymii.org:443 -showcerts -tlsextdebug 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/{/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -subject -issuer -ext subjectAltName; echo; done; IFS=$OLDIFS
Output:
subject=CN = raymii.org
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
X509v3 Subject Alternative Name:
DNS:raymii.org, DNS:www.raymii.org
subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
No extensions in certificate
subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
No extensions in certificate
If you have the certificates in a local file, for this example chain.pem
, this is the command:
OLDIFS=$IFS; IFS=':' certificates=$(sed -n '/-----BEGIN/,/-----END/{/-----BEGIN/ s/^/:/; p}' chain.pem); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -subject; echo; done; IFS=$OLDIFS
Output:
subject=CN = raymii.org
subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
You can replace the openssl x509 -noout -subject -issuer -ext subjectAltName
by any option supported by openssl x509
. For this example I choose to echo
the subject
, issuer
and subjectAlternativeNames
but you get the gist.
Here's a breakdown of what the script does:
OLDIFS=$IFS; IFS=':'
- This changes the Internal Field Separator (IFS) to:
. The IFS is a special shell variable used for word splitting after expansion and to split lines into words with the read built-in command. The originalIFS
is saved inOLDIFS
to restore it later.certificates=$(openssl s_client [...] | sed -n '/-----BEG[...] s/^/:/; p}')
- This uses theopenssl
command to connect togoogle.nl
on port 443 and extract the SSL certificates. Thesed
command is used to format the output so that each certificate starts with a:
.for certificate in ${certificates#:}; do echo [...]
- This loops over each certificate (split by:
due to theIFS
) and usesopenssl
to extract the subject alternative name, subject, and issuer of each certificate.IFS=$OLDIFS
- This restores the originalIFS
.