AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Openssl subject alternative name3/29/2023 Is there a way to programmatically check the Alternative Names of a SAN SSL cert? Just add -in M圜ertificate.crt on the openssl x509 command and once again pipe through grep, e.g.: openssl x509 -noout -text -in M圜ertificate.crt | grep DNS: How do I get the SAN directly from a file?įor this, you don't need the openssl s_client command. to parse the output in a shell script) simply pipe echo into it: echo | openssl s_client -connect website.example:443 | openssl x509 -noout -text | grep DNS: You may note that the command does not cleanly exit openssl s_client actually acts as a client and leaves the connection open, waiting for input. Since the SAN entries begin with DNS: this simply returns only the lines that contain that, stripping out all the other info and leaving us with the desired information. Normally there's a whole lot of output (signature, issuer, extensions, etc) that we don't care about, so then we pipe that into a simple grep: The -text flag tells it to output the certificate details in text form. The -noout flag keeps it from outputting the (base64-encoded) certificate file itself, which we don't need. ![]() This takes the certificate file and outputs all its juicy details. Openssl s_client -connect website.example:443 To get the Subject Alternative Names (SAN) for a certificate, use the following command: openssl s_client -connect website.example:443 /dev/null | openssl x509 -noout -text | grep DNS:įirst, this command connects to the site we want ( website.example, port 443 for SSL):
0 Comments
Read More
Leave a Reply. |