IBM Support

Security: Extract the information from the certificate using OpenSSL

Technical Blog Post


Abstract

Security: Extract the information from the certificate using OpenSSL

Body

Author: Manisha Khond

 

There are certain situations where you want to decode the certificate to verify that it contains the correct information. The easiest way to view the certificate content on

Windows host, is to open the certificate and view it’s contents field by field. There are tools available to parse the certificate contents.

OpenSSL is free tool and it can decode the contents of the certificate as well.

 

This is the certificate that we want to decode (Part of the certificate displayed below is erased due to security concerns).

 

image

 

In next section, we will go through OpenSSL commands to decode the contents of the Certificate.

 

Get the full details on the certificate:

 

openssl x509 -text -in ibmcert.crt

 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            07:da:4b:af:e9:57:39:9f:31:2b:6f:c3:d4:87:c8:74

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018

        Validity

            Not Before: Feb 19 00:00:00 2018 GMT

            Not After : Mar 21 12:00:00 2019 GMT

        Subject: C=US, ST=New York, L=Armonk, O=IBM, CN=www.ibm.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (2048 bit)

                Modulus (2048 bit):

                    00:c8:aa:36:b7:66:12:31:c8:b6:5e:cb:c0:4b:6c:

                    22:f6:a4:1b:b9:d9:52:e6:21:00:ee:f9:91:b1:ce:

                    7b:d0:fb:8d:58:66:b1:a3:88:47:93:b2:38:14:ad:

                    03:44:d5:1c:24:bd:86:87:5e:67:9a:69:be:b8:a0:

                    c0:fc:b7:bf:f6:17:fb:3a:53:8a:10:60:f9:99:26:

                    7b:36:63:93:db:0e:fb:e8:20:40:b6:b0:cb:4d:ec:

                    73:7c:c9:eb:f0:f8:e8:a3:04:76:e3:81:fc:d0:96:

                    4b:66:10:6b:84:dd:67:b2:00:da:97:41:6a:dd:64:

                    14:29:5a:4d:9c:28:b5:b3:9d:20:26:30:c1:2e:ef:

                    64:9c:be:b9:28:70:65:90:af:b4:fe:f1:3f:74:8b:

                    c8:b2:0b:15:87:00:41:5e:61:40:91:9a:d8:33:81:

                    85:c5:2b:85:56:8c:90:0d:46:e3:ca:6b:7d:83:49:

                    95:03:5d:61:1a:18:dd:fb:f2:2a:35:a3:02:ff:69:

                    d1:06:12:4b:54:5e:a1:c9:cc:91:c9:da:a9:50:66:

                    f2:b9:e0:6a:ba:b9:d9:05:9b:0a:37:25:ad:56:72:

                    58:8d:cc:f4:35:66:23:57:a3:83:64:77:02:d1:e3:

                    44:ec:c6:38:84:9e:49:8d:e6:21:3c:ae:55:fc:c1:

                    36:43

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Authority Key Identifier:

                keyid:90:58:FF:B0:9C:75:A8:51:54:77:B1:ED:F2:A3:43:16:38:9E:6C:C5

 

            X509v3 Subject Key Identifier:

                81:1B:D2:F2:2B:73:FC:86:76:ED:19:DA:FE:5B:03:51:52:A9:CB:8F

            X509v3 Subject Alternative Name:

                xxx

           X509v3 Key Usage: critical

                Digital Signature, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web Server Authentication, TLS Web Client Authentication

            X509v3 CRL Distribution Points:

                URI:http://cdp.geotrust.com/GeoTrustRSACA2018.crl

 

            X509v3 Certificate Policies:

                Policy: 2.16.840.1.114412.1.1

                  CPS: https://www.digicert.com/CPS

                Policy: 2.23.140.1.2.2

 

            Authority Information Access:

                OCSP - URI:http://status.geotrust.com

                CA Issuers - URI:http://cacerts.geotrust.com/GeoTrustRSACA2018.crt

 

            X509v3 Basic Constraints:

                CA:FALSE

            1.3.6.1.4.1.11129.2.4.2:

                ......w.......X......gp

!g.../O...6...".p.s0.u..u..Y|..C._..n.V.GV6.J.`....^......a...J.....F0D. /a...v.                                                                             .. zG#....^....^...D8=.'.....3.....

    Signature Algorithm: sha256WithRSAEncryption

        36:79:07:98:7f:57:71:96:98:47:0c:88:f9:41:a1:52:56:a4:

        01:d3:dc:eb:a9:47:03:53:3a:2f:d5:ef:41:66:bf:6c:8b:74:

        8a:a7:a8:3f:9c:c6:9b:33:7a:77:09:c8:69:70:14:9b:13:e8:

        77:15:cb:98:d4:00:11:7c:82:26:47:a7:03:98:9b:cb:d5:65:

        9f:89:cd:c8:d2:36:80:76:b1:d2:52:da:3a:39:2a:0a:10:0f:

        e1:27:d3:c2:6a:c1:7b:93:70:af:88:8c:41:85:31:5b:e0:4a:

        f2:6b:74:07:5c:5a:dc:09:4b:f9:dd:23:0c:59:0c:63:cf:a5:

        98:1e:1b:2f:1c:05:08:a3:c0:44:28:e4:a2:f5:55:bf:1c:4a:

        86:a7:0f:69:8d:58:67:de:b9:1e:2a:d0:13:f7:0e:ee:6e:48:

        12:89:46:21:64:fa:db:50:c9:f7:7f:e8:36:11:ec:9f:25:1a:

        9c:7f:49:07:c6:03:1e:49:71:d7:f2:19:23:9a:dc:a3:bc:0f:

        3e:8e:fc:52:d0:f7:b3:8d:a0:b6:ac:e8:ee:d7:37:32:fd:5b:

        42:e6:45:2c:10:83:3b:60:59:06:17:1e:1a:c6:1f:9e:7e:c1:

        d6:83:16:6d:c2:30:8f:5e:c6:1f:13:a5:83:de:5d:96:ca:80:

        b2:df:8c:dd

-----BEGIN CERTIFICATE-----

MIII0TCCB7mgAwIBAgIQB9pLr+lXOZ8xK2/D1IfIdDANBgkqhkiG9w0BAQsFADBe

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRHZW9UcnVzdCBSU0EgQ0EgMjAxODAe

Fw0xODAyMTkwMDAwMDBaFw0xOTAzMjExMjAwMDBaMFUxCzAJBgNVBAYTAlVTMREw

DwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMQwwCgYDVQQKEwNJQk0x

FDASBgNVBAMTC3d3dy5pYm0uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB

CgKCAQEAyKo2t2YSMci2XsvAS2wi9qQbudlS5iEA7vmRsc570PuNWGaxo4hHk7I4

FK0DRNUcJL2Gh15nmmm+uKDA/Le/9hf7OlOKEGD5mSZ7NmOT2w776CBAtrDLTexz

fMnr8PjoowR244H80JZLZhBrhN1nsgDal0Fq3WQUKVpNnCi1s50gJjDBLu9knL65

KHBlkK+0/vE/dIvIsgsVhwBBXmFAkZrYM4GFxSuFVoyQDUbjymt9g0mVA11hGhjd

+/IqNaMC/2nRBhJLVF6hycyRydqpUGbyueBqurnZBZsKNyWtVnJYjcz0NWYjV6OD

ZHcC0eNE7MY4hJ5JjeYhPK5V/ME2QwIDAQABo4IFkjCCBY4wHwYDVR0jBBgwFoAU

kFj/sJx1qFFUd7Ht8qNDFjiebMUwHQYDVR0OBBYEFIEb0vIrc/yGdu0Z2v5bA1FS

qcuPMIIDAwYDVR0RBIIC+jCCAvaCC3d3dy5pYm0uY29tggdpYm0uY29tghJjbGll

bnQtcHJlLmlibS5jb22CDW15aWJtLmlibS5jb22CEXVzbXIuY21zLnM4MWMuY29t

gg53d3ctMDUuaWJtLmNvbYIPdXMuY21zLnM4MWMuY29tghN3d3d0ZXN0LWFwaS5p

Ym0uY29tghN0aGluay1zdGFnZS5pYm0uY29tgg93d3ctMTEyLmlibS5jb22CD2Fw

LmNtcy5zODFjLmNvbYILbXAuczgxYy5jb22CFXd3dy5kZXZlbG9wZXIuaWJtLmNv

bYIQd3d3c3RhZ2UuaWJtLmNvbYITMS5jbXNzdGFnZS5zODFjLmNvbYIUd3d3c3Rh

Z2UtYXBpLmlibS5jb22CEGFwaS53d3cuczgxYy5jb22CD3d3dy0zNTYuaWJtLmNv

bYIPd3d3LWFwaS5pYm0uY29tgg53d3ctMDYuaWJtLmNvbYIOY2xpZW50LmlibS5j

b22CCW0uaWJtLmNvbYIPZXUuY21zLnM4MWMuY29tghR3d3ctOTY5c3RhZ2UuaWJt

LmNvbYIRZGV2ZWxvcGVyLmlibS5jb22CEjEuY21zdGVzdC5zODFjLmNvbYIPd3d3

LTkzNS5pYm0uY29tgg93d3d0ZXN0LmlibS5jb22CEzEuZGFtc3RhZ2UuczgxYy5j

b22CDnd3dy0wMS5pYm0uY29tggthcGkuaWJtLm5ldIINdGhpbmsuaWJtLmNvbYIO

MS5kYW0uczgxYy5jb22CDnd3dy0wNy5pYm0uY29tgg4xLmNtcy5zODFjLmNvbYIO

d3d3LTAzLmlibS5jb22CEzEud3d3c3RhZ2UuczgxYy5jb22CDjEud3d3LnM4MWMu

Y29tggt3d3cubmljLmlibYIRMS5jbXNwb2MuczgxYy5jb22CEmNsaWVudC1jZHQu

aWJtLmNvbYIOd3d3cG9jLmlibS5jb22CD3d3dy05NjkuaWJtLmNvbYIQd3d3LTIw

MDAuaWJtLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG

CCsGAQUFBwMCMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jZHAuZ2VvdHJ1c3Qu

Y29tL0dlb1RydXN0UlNBQ0EyMDE4LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwB

ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgG

BmeBDAECAjB1BggrBgEFBQcBAQRpMGcwJgYIKwYBBQUHMAGGGmh0dHA6Ly9zdGF0

dXMuZ2VvdHJ1c3QuY29tMD0GCCsGAQUFBzAChjFodHRwOi8vY2FjZXJ0cy5nZW90

cnVzdC5jb20vR2VvVHJ1c3RSU0FDQTIwMTguY3J0MAkGA1UdEwQCMAAwggEEBgor

BgEEAdZ5AgQCBIH1BIHyAPAAdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80O

yA3cEAAAAWGwB/7vAAAEAwBIMEYCIQDOazkJq+N0anorzX70OWKcgcunHlKnNxeG

BzsSUYl4WAIhAPMUqVkgaJSWCDdNDSFn/u6cL0+ejto2F/XsIs9wmHMwAHUAh3W/

51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFhsAf/SgAABAMARjBEAiAv

YckuyHana2MPXT6SWWcGV1aW4uKsEMQYaUczWCkNGQIgekcjpvWzF16Kis+CXpfQ

nEQ4Pa8n+cO4nNEz4MgRjwswDQYJKoZIhvcNAQELBQADggEBADZ5B5h/V3GWmEcM

iPlBoVJWpAHT3OupRwNTOi/V70Fmv2yLdIqnqD+cxpszencJyGlwFJsT6HcVy5jU

ABF8giZHpwOYm8vVZZ+JzcjSNoB2sdJS2jo5KgoQD+En08JqwXuTcK+IjEGFMVvg

SvJrdAdcWtwJS/ndIwxZDGPPpZgeGy8cBQijwEQo5KL1Vb8cSoanD2mNWGfeuR4q

0BP3Du5uSBKJRiFk+ttQyfd/6DYR7J8lGpx/SQfGAx5JcdfyGSOa3KO8Dz6O/FLQ

97ONoLas6O7XNzL9W0LmRSwQgztgWQYXHhrGH55+wdaDFm3CMI9exh8TpYPeXZbK

gLLfjN0=

-----END CERTIFICATE-----

 

Note: The Subject Alternative Name has the list of all DNS entries. This field is masked due to Security concerns.

 

Get the certificate issuer:

 

openssl x509 -noout -in ibmcert.crt -issuer

 

issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

 

Get the certificate Subject:

 

openssl x509 -noout -in ibmcert.crt -subject

 

subject= /C=US/ST=New York/L=Armonk/O=IBM/CN=www.ibm.com

 

Get the valid certificate dates:

 

openssl x509 -noout -in ibmcert.crt -dates

 

notBefore=Feb 19 00:00:00 2018 GMT

notAfter=Mar 21 12:00:00 2019 GMT

 

Get the issuer, subject and valid dates:

 

openssl x509 -noout -in ibmcert.crt -issuer -subject -dates

 

issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

subject= /C=US/ST=New York/L=Armonk/O=IBM/CN=www.ibm.com

notBefore=Feb 19 00:00:00 2018 GMT

notAfter=Mar 21 12:00:00 2019 GMT

 

Get the certificate Thumbprint:

 

openssl x509 -noout -in ibmcert.crt -fingerprint

 

SHA1 Fingerprint=A2:B5:46:36:3D:1C:21:07:5E:3F:E3:07:50:B9:83:18:1E:6B:D7:4F

 

 

Do you have further questions or concerns?

Please comment using "Add a comment" section of the blog.

 

 

[{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSMHNK","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11120515