64

I can use the following command to display the certificate in a PEM file:

openssl x509 -in cert.pem -noout -text

But it will only display the information of the first certificate. A PEM file may also contain a certificate chain. How can I display all contained certificates?

Improve this question
3

4 Answers 4

Reset to default
88

The openssl command (specifically, its openssl x509 subcommand, among others) is polite with its data stream: once it reads data, it doesn't read more than it needs.

This allows to chain multiple openssl commands like this:

while openssl x509 -noout -text; do :; done < cert-bundle.pem

This will display all bundled certs in the file cert-bundle.pem (and end with an error: when there's no more input available, but that's just to show how it's working).

Improve this answer
8
  • Can you explain, what exactly this loop does? Am I right, that this will only work as long openssl will not read the input as a whole, but line by line until it is able to read one certificate, so that it reads one certificate at each iteration? Commented Mar 22, 2022 at 7:08
  • 2
    @stackprotector I'm stating openssl always read the minimal information. This property allows to chain multiple times openssl when receiving more than one cert. Other example: openssl s_client -connect unix.stackexchange.com:443 -showcerts </dev/null | while openssl x509 -noout -subject 2>/dev/null; do : ; done to display only cert names from unix.stackexchange.com (server's + 1 intermediate). This property can also be used with other use cases to build dynamic configuration for CSR: openssl req ... -config <(some commands) (using bash). But I don't know if it's explicitly documented. Commented Mar 22, 2022 at 13:22
  • I mean that openssl behaves well with input data, it doesn't attempt to seek (in the lseek(2) meaning) nor to consume data that won't be used. Commented Mar 22, 2022 at 13:25
  • 1
    This type of code is hard to read, hard to extend. Could it be changed so that there's no code executed inside of the while loop condition? (For example, so I could do something with the output other than print it to the console). Commented Nov 2, 2022 at 9:22
  • 1
    Let me give an example. Say I want to see only the first 10 lines of the openssl output (for each cert). I can't pipe the output to 'head' or try to put it in a variable, that makes the code cause errors. It's given as-is, I don't understand how it works. Not the openssl part, the BASH part. Bash syntax is notoriously nasty. I've just spent the last 4 hours trying to do this simple thing, gave up and wrote a program instead. Commented Nov 2, 2022 at 13:26
24

Seems like PEM format is not handled very well with more than one certificate. Based on this answer:

openssl crl2pkcs7 -nocrl -certfile cert.pem | openssl pkcs7 -print_certs -text -noout

it first convert to pkcs7 and then display it

Improve this answer
0

Alternatively, you can do this:

awk -F'\n' '
BEGIN { showcert = "openssl x509 -noout -text" }
/-----BEGIN CERTIFICATE-----/ {printf "%d: ", i}
{printf $0"\n" | showcert}
/-----END CERTIFICATE-----/ {close(showcert) i++}' cert.pem
Improve this answer
1
  • alias cert_chain_display='awk '\''BEGIN { showcert = "openssl x509 -noout -subject -issuer -ext subjectAltName"; in_cert = 0 } /-----BEGIN C/ { in_cert = 1; printf "-- certificate index %2d:\n", ++ind } in_cert { print | showcert } /-----END C/ { in_cert = 0; close(showcert); print "-------------" }'\''' Commented Mar 4 at 10:47
-3 
openssl pkcs12 -in cert.p12 -cacerts -nodes -nokeys > rootcert.pem

also, you could try to use KeyStore Explorer

Improve this answer
1
  • 3
    This answer seems unrelated to the question asked. Commented Sep 16, 2022 at 3:24

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.