OpenSSL : voir les détails d’un certificat

Publié le 11 octobre 2021

Il est possible de voir toutes les données d’un certificat SSL à partir de son fichier .crt ou .pem. La commande à utiliser est : openssl x509 -noout -text -in /chemin/vers/le/certificat. Par exemple :

openssl x509 -noout -text -in /etc/letsencrypt/live/palc.fr/fullchain.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:b2:f9:cb:ca:20:c1:05:b9:08:fa:31:80:d8:31:2c:fd:b6
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Aug 30 08:10:06 2021 GMT
            Not After : Nov 28 08:10:05 2021 GMT
        Subject: CN = palc.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b8:88:80:7f:d8:a9:30:71:e7:4e:4f:0d:a3:1b:
                    c9:51:f7:6e:b8:01:49:14:f1:c6:5d:07:fe:da:50:
                    6a:95:5a:fc:d6:97:e1:3b:5e:af:ab:8a:7b:11:8a:
                    a8:33:aa:34:71:0f:9a:0e:32:35:c8:96:29:86:08:
                    52:eb:24:a7:b8:8d:35:9f:e6:af:f7:29:3c:83:d9:
                    e3:89:9e:50:de:a9:fe:43:bd:d8:db:fd:70:f9:52:
                    ae:fd:a7:ae:55:88:6f:a4:da:48:05:7b:4a:ee:41:
                    2b:23:08:38:f3:e8:0f:aa:c7:93:9f:41:a1:1d:dd:
                    45:46:f9:81:da:33:6b:3e:95:28:d5:eb:24:78:35:
                    b9:7c:85:ea:c6:0d:12:d5:a3:8a:50:f6:42:ce:45:
                    1d:f3:41:fd:f4:ce:1c:28:10:45:c1:ad:39:0f:6e:
                    05:7b:8d:b8:f9:98:45:21:7a:b9:df:40:55:26:7a:
                    6f:e1:f6:d5:2a:44:42:92:55:b4:25:f3:97:36:3f:
                    8b:fb:9e:ec:21:2b:b0:36:5b:67:10:b6:75:d3:3b:
                    2b:cc:ed:ec:72:5c:c3:07:1f:b1:ad:f2:67:9e:f1:
                    37:10:16:c4:02:de:57:9f:a4:a6:54:a5:b4:61:5c:
                    63:bc:07:6a:87:00:97:81:d6:b0:2f:2c:1e:cc:e4:
                    11:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                41:A3:12:A9:41:CF:C4:C4:0B:57:67:C0:1B:97:E4:49:1F:A0:02:B8
            X509v3 Authority Key Identifier: 
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:palc.fr, DNS:www.palc.fr
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 5C:DC:43:92:FE:E6:AB:45:44:B1:5E:9A:D4:56:E6:10:
                                37:FB:D5:FA:47:DC:A1:73:94:B2:5E:E6:F6:C7:0E:CA
                    Timestamp : Aug 30 09:10:07.070 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:71:5B:63:71:90:A2:5F:BE:20:32:CB:54:
                                6B:92:DE:CE:4F:EE:24:AE:8D:95:AE:8E:69:61:5E:19:
                                94:6C:2A:84:02:21:00:8F:B2:5A:AB:36:EA:38:40:CD:
                                13:C2:71:D9:5A:B7:81:86:7C:13:57:8D:4A:B6:2E:6F:
                                65:98:9A:81:AF:AF:78
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E:
                                E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3
                    Timestamp : Aug 30 09:10:07.079 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:F5:6D:43:4C:49:68:F7:E1:E3:D0:E2:
                                D1:1C:B2:A8:55:DA:7F:22:CA:35:17:C5:AE:3C:50:12:
                                1B:A5:D5:AE:D6:02:20:50:EC:B7:A4:37:62:3C:7A:FB:
                                96:4D:1B:17:AB:F8:9D:A1:3C:DE:37:6E:71:45:58:AE:
                                3C:7E:C7:5A:D0:B3:FB
    Signature Algorithm: sha256WithRSAEncryption
         89:34:fa:07:9c:ea:3e:05:70:dd:9f:11:b9:5a:36:3c:49:70:
         47:86:41:bb:97:73:82:52:be:20:1e:93:53:d9:2d:e0:29:2a:
         c7:83:5f:47:54:d8:57:72:f5:05:87:2f:f1:22:6c:bd:20:9f:
         1f:5a:90:73:81:a7:3e:06:63:5f:f1:01:fa:01:2c:4a:13:61:
         91:1e:c4:2d:d5:e1:17:28:8c:23:17:8c:42:b9:32:4d:dd:83:
         1f:ce:a3:51:72:bf:9c:1a:6f:66:1e:75:59:34:c1:e0:b2:83:
         c4:2e:1a:ad:d1:71:4d:43:79:9d:0b:af:1e:7b:7c:e4:d5:08:
         b6:bf:ba:b8:fa:90:49:86:e6:ef:eb:9f:c5:a2:3a:39:2c:49:
         03:81:30:36:e7:ed:d0:2c:1c:94:a7:97:0b:cc:a9:58:d8:0d:
         a6:20:c6:5e:67:7b:b7:5f:13:1a:5b:b1:13:8b:d0:e2:69:79:
         1e:e9:f6:2c:90:30:3c:a9:b8:e2:a5:a7:51:0b:a0:e0:f8:10:
         11:ec:e4:0e:c4:3c:2a:3e:65:39:c7:2e:78:f8:56:52:92:db:
         47:5b:81:9b:d3:f0:7a:be:bf:98:e9:a9:d2:92:d6:46:7d:2f:
         a6:fc:25:eb:9f:5c:94:7a:fb:d0:fc:9a:49:8a:d0:4c:35:bb:
         76:c2:4b:67

Ca peut permettre de vérifier facilement les DNS concerner, ou la date d’expiration, par exemple.