How to use the command 'openssl x509' (with examples)

The OpenSSL command ‘openssl x509’ is used to manage X.509 certificates. It allows users to perform various operations on certificates, such as displaying certificate information, checking expiration dates, converting between different encoding formats, and storing the public key in a file.

Use case 1: Display certificate information

Code:

openssl x509 -in filename.crt -noout -text

Motivation: This use case is helpful when you want to view the details and information contained within a certificate. By using this command, you can easily retrieve and examine information such as the certificate’s issuer, subject, validity period, public key, and signature algorithm.

Explanation:

• openssl x509: The command used to manage X.509 certificates.
• -in filename.crt: Specifies the input file containing the certificate data in the .crt format.
• -noout: Prevents any output other than the specified output options.
• -text: Specifies that the certificate information should be displayed in human-readable text format.

Example Output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:a5:d4:45:bb:2c:63:43
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Example Organization, CN = Example CA
        Validity
            Not Before: Jan 1 00:00:00 2022 GMT
            Not After : Dec 31 23:59:59 2022 GMT
        Subject: C = US, O = Example Organization, CN = www.example.com
        ...

Use case 2: Display a certificate’s expiration date

Code:

openssl x509 -enddate -noout -in filename.pem

Motivation: Knowing the expiration date of a certificate is crucial for maintaining secure connections. This use case allows you to quickly check the expiration date of a certificate without the need to delve into its full details.

Explanation:

• -enddate: Specifies that only the certificate’s expiration date should be displayed.
• -noout: Prevents any additional output, including the entire certificate.
• -in filename.pem: Specifies the input file containing the certificate data in the .pem format.

Example Output:

notAfter=Dec 31 23:59:59 2022 GMT

Use case 3: Convert a certificate between binary DER encoding and textual PEM encoding

Code:

openssl x509 -inform der -outform pem -in original_certificate_file -out converted_certificate_file

Motivation: Sometimes it is necessary to convert a certificate from one encoding format to another. The ability to convert between binary DER encoding and textual PEM encoding is useful for interoperability purposes or when working with different systems.

Explanation:

• -inform der: Specifies the input certificate format as binary DER encoding.
• -outform pem: Specifies the output certificate format as textual PEM encoding.
• -in original_certificate_file: Specifies the input file containing the original certificate to be converted.
• -out converted_certificate_file: Specifies the output file where the converted certificate will be stored.

Example Output:

-----BEGIN CERTIFICATE-----
MIIDiTCCAnGgAwIBAgIUcRVkXHiEBUO4VX1xvQpTgsQ8wBsGA1 ...
-----END CERTIFICATE-----

Use case 4: Store a certificate’s public key in a file

Code:

openssl x509 -in certificate_file -noout -pubkey -out output_file

Motivation: Saving a certificate’s public key in a separate file can be useful for various purposes, such as encryption or verification processes involving the public key.

Explanation:

• -in certificate_file: Specifies the input file containing the certificate data.
• -noout: Prevents any output other than the specified output options.
• -pubkey: Specifies that only the certificate’s public key should be retrieved.
• -out output_file: Specifies the output file where the public key will be stored.

Example Output:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvF5j3HjSUZ0nCetQVr6N
...
-----END PUBLIC KEY-----

Conclusion:

The ‘openssl x509’ command provides a comprehensive set of functionalities to manage X.509 certificates. With it, you can easily obtain certificate information, check expiration dates, convert between encoding formats, and store public keys for further use. These use cases showcase just a few of the many ways this command can be applied in practice.