This site is for tech Q&A. Please keep your posts focused on the subject at hand.

Ask one question at a time. Don't conflate multiple problems into a single question.

Make sure to include all relevant information in your posts. Try to avoid linking to external sites.

Links to documentation are fine, but in addition you should also quote the relevant parts in your posts.

0 votes

I frequently need to check SSL certificates with the openssl command, like this:

openssl x509 -in my.crt -text -noout

The -noout argument already prevents the command from dumping the entire certificate file on top of the decoded data, but the output is still rather lengthy. I'm usually only interested in information like issuer, subject, SANs, and validity. How can I remove other information (particularly the public key and the signature) from the output?

in Sysadmin
by (125)
3 19 33
edit history

Please log in or register to answer this question.

1 Answer

0 votes

The openssl x509 subcommand has a parameter -certopt that allows filtering the output to some extent.

From the man page:

-certopt option

customise the output format used with -text. The option argument can be a single option or multiple options separated by commas. The -certopt switch may be also be used more than once to set multiple options. See the TEXT OPTIONS section for more information.



As well as customising the name output format, it is also possible to customise the actual fields printed using the certopt options when the text option is present. The default behaviour is to print all fields.

compatible use the old format. This is equivalent to specifying no output options at all.

no_header don't print header information: that is the lines saying "Certificate" and "Data".

no_version don't print out the version number.

no_serial don't print out the serial number.

no_signame don't print out the signature algorithm used.

no_validity don't print the validity, that is the notBefore and notAfter fields.

no_subject don't print out the subject name.

no_issuer don't print out the issuer name.

no_pubkey don't print out the public key.

no_sigdump don't give a hexadecimal dump of the certificate signature.

no_aux don't print out certificate trust information.

no_extensions don't print out any X509V3 extensions.

ext_default retain default extension behaviour: attempt to print out unsupported certificate extensions.

ext_error print an error message for unsupported certificate extensions.

ext_parse ASN1 parse unsupported extensions.

ext_dump hex dump unsupported extensions.

ca_default the value used by the ca utility, equivalent to no_issuer, no_pubkey, no_header, and no_version.

The options you're looking for are no_pubkey and no_sigdump:

openssl x509 -in my.crt -text -noout -certopt no_pubkey,no_sigdump
by (125)
3 19 33
edit history