Guidelines

This site is for tech Q&A. Please keep your posts focused on the subject at hand.

Ask one question at a time. Don't conflate multiple problems into a single question.

Make sure to include all relevant information in your posts. Try to avoid linking to external sites.

Links to documentation are fine, but in addition you should also quote the relevant parts in your posts.

Related questions

Categories

Most popular tags

bash linux question2answer puppet mysql php devuan css array ubuntu powershell puppet-bolt nginx apt ruby gitlab cron vim firefox ssh font partition lvm openssl dns password datetime postfix logger logging html jq json puppet-provider pager azure bell certbot fluxbox nfs pip locale python tun-device openvpn mirror hetzner-cloud web-search hiera nag-screen youtube responsive-design systemctl goss ssh-agent windows cups printer bind request-trace gpg shared-folder virtualbox sector raid disk environment glue-record nis tcp foreman chroot volume mount powerdns puppetdb fact network-interface systemd network java hash sha256 solr letsencrypt smtp-auth database permissions theme admin puppet-agent fail2ban email commandline process service-management upstart

Exclude information from certificate output

0 votes
224 views
224 views

I frequently need to check SSL certificates with the openssl command, like this:

openssl x509 -in my.crt -text -noout

The -noout argument already prevents the command from dumping the entire certificate file on top of the decoded data, but the output is still rather lengthy. I'm usually only interested in information like issuer, subject, SANs, and validity. How can I remove other information (particularly the public key and the signature) from the output?

in Sysadmin
by (100)
1 11 25
edit history

Please log in or register to answer this question.

1 Answer

0 votes
 

The openssl x509 subcommand has a parameter -certopt that allows filtering the output to some extent.

From the man page:

-certopt option

customise the output format used with -text. The option argument can be a single option or multiple options separated by commas. The -certopt switch may be also be used more than once to set multiple options. See the TEXT OPTIONS section for more information.

[...]

TEXT OPTIONS

As well as customising the name output format, it is also possible to customise the actual fields printed using the certopt options when the text option is present. The default behaviour is to print all fields.

compatible use the old format. This is equivalent to specifying no output options at all.

no_header don't print header information: that is the lines saying "Certificate" and "Data".

no_version don't print out the version number.

no_serial don't print out the serial number.

no_signame don't print out the signature algorithm used.

no_validity don't print the validity, that is the notBefore and notAfter fields.

no_subject don't print out the subject name.

no_issuer don't print out the issuer name.

no_pubkey don't print out the public key.

no_sigdump don't give a hexadecimal dump of the certificate signature.

no_aux don't print out certificate trust information.

no_extensions don't print out any X509V3 extensions.

ext_default retain default extension behaviour: attempt to print out unsupported certificate extensions.

ext_error print an error message for unsupported certificate extensions.

ext_parse ASN1 parse unsupported extensions.

ext_dump hex dump unsupported extensions.

ca_default the value used by the ca utility, equivalent to no_issuer, no_pubkey, no_header, and no_version.

The options you're looking for are no_pubkey and no_sigdump:

openssl x509 -in my.crt -text -noout -certopt no_pubkey,no_sigdump
by (100)
1 11 25
edit history
Powered by Question2Answer
...