67

I can use the following command to display the certificate in a PEM file:

openssl x509 -in cert.pem -noout -text

But it will only display the information of the first certificate. A PEM file may also contain a certificate chain. How can I display all contained certificates?

Improve this question
3

4 Answers 4

Reset to default
90

The openssl command (specifically, its openssl x509 subcommand, among others) is polite with its data stream: once it reads data, it doesn't read more than it needs.

This allows to chain multiple openssl commands like this:

while openssl x509 -noout -text; do :; done < cert-bundle.pem

This will display all bundled certs in the file cert-bundle.pem (and end with an error: when there's no more input available, but that's just to show how it's working).

Improve this answer
8
  • Can you explain, what exactly this loop does? Am I right, that this will only work as long openssl will not read the input as a whole, but line by line until it is able to read one certificate, so that it reads one certificate at each iteration? Commented Mar 22, 2022 at 7:08
  • 2
    @stackprotector I'm stating openssl always read the minimal information. This property allows to chain multiple times openssl when receiving more than one cert. Other example: openssl s_client -connect unix.stackexchange.com:443 -showcerts </dev/null | while openssl x509 -noout -subject 2>/dev/null; do : ; done to display only cert names from unix.stackexchange.com (server's + 1 intermediate). This property can also be used with other use cases to build dynamic configuration for CSR: openssl req ... -config <(some commands) (using bash). But I don't know if it's explicitly documented. Commented Mar 22, 2022 at 13:22
  • 1
    This type of code is hard to read, hard to extend. Could it be changed so that there's no code executed inside of the while loop condition? (For example, so I could do something with the output other than print it to the console). Commented Nov 2, 2022 at 9:22
  • 1
    Let me give an example. Say I want to see only the first 10 lines of the openssl output (for each cert). I can't pipe the output to 'head' or try to put it in a variable, that makes the code cause errors. It's given as-is, I don't understand how it works. Not the openssl part, the BASH part. Bash syntax is notoriously nasty. I've just spent the last 4 hours trying to do this simple thing, gave up and wrote a program instead. Commented Nov 2, 2022 at 13:26
  • 1
    @aphid "Could it be changed so that there's no code executed inside of the while loop condition?" Not easily, no — the loop condition is "when openssl fails" (due to running out of certificates), which can't be tested without running openssl. Piping the openssl output into things breaks this because you lose the exit status — but you can turn that behaviour of bash off with the pipefail option, like so: ( set -o pipefail ; while openssl x509 -noout -text | head ; do :; done ) < cert-bundle.pem Commented Jul 4 at 0:52
25

Seems like PEM format is not handled very well with more than one certificate. Based on this answer:

openssl crl2pkcs7 -nocrl -certfile cert.pem | openssl pkcs7 -print_certs -text -noout

it first convert to pkcs7 and then display it

Improve this answer
2
  • This works well. I get an error while importing pem cert - "keytool error: java.lang.Exception: Input not an X.509 certificate". Do I need to convert it in pkcs7 first? Commented Nov 17 at 14:00
  • @Derrick, kind of. AFAIK you need to convert it to pkcs12. You may check this answer: serverfault.com/a/745143/293588 Commented Nov 17 at 14:07
0

Alternatively, you can do this:

awk -F'\n' ' BEGIN { showcert = "openssl x509 -noout -text" } /-----BEGIN CERTIFICATE-----/ {printf "%d: ", i} {printf $0"\n" | showcert} /-----END CERTIFICATE-----/ {close(showcert) i++}' cert.pem
Improve this answer
1
  • alias cert_chain_display='awk '\''BEGIN { showcert = "openssl x509 -noout -subject -issuer -ext subjectAltName"; in_cert = 0 } /-----BEGIN C/ { in_cert = 1; printf "-- certificate index %2d:\n", ++ind } in_cert { print | showcert } /-----END C/ { in_cert = 0; close(showcert); print "-------------" }'\''' Commented Mar 4 at 10:47
-3 
openssl pkcs12 -in cert.p12 -cacerts -nodes -nokeys > rootcert.pem

also, you could try to use KeyStore Explorer

Improve this answer
1
  • 3
    This answer seems unrelated to the question asked. Commented Sep 16, 2022 at 3:24

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.