Last Updated: February 25, 2016
·
622
· erebusbat

Extract Certificate Info from File

I used a certificate based VPN (OpenVPN) at both home and work. I also wrote a nice little packager script around easy-rsa so that I can do something like ./new-client jdoe 'Jon Doe' and it will generate and sign the certificates for me, then package them up into a single file so that I can deploy keys easily.

To do this easily the new-client package script renames the client .crt and .key files to generic names so you can not tell from the file name what a certificate's CN is.

Output from an easy-rsa issued certificate:

$ openssl x509 -subject -dates -fingerprint -noout -in mickey.crt
subject= /C=US/ST=FL/L=Orlando/O=Disney/CN=mmouse/name=Mickey Mouse
notBefore=Aug  9 16:20:06 2012 GMT
notAfter=Aug  7 16:20:06 2022 GMT
SHA1 Fingerprint=11:25:1C:9E:19:FE:2A:47:3F:E7:0D:42:B0:5E:CD:E7:B4:A9:C8:98

Or perhaps you have a web certificate that you can't remember where it goes. As long as it is an x509 cert then it will work:

$ openssl x509 -subject -dates -fingerprint -noout -in star_acme_com.crt
subject= /C=US/ST=Florida/L=Orlando/O=ACME INC/CN=*.acme.com
notBefore=Nov 29 00:00:00 2011 GMT
notAfter=Dec  3 12:00:00 2012 GMT
SHA1 Fingerprint=C1:42:DD:81:7C:74:83:91:33:AC:C6:54:1E:5C:BC:06:F3:B1:08:77

The Mickey example is especially interesting because most tools (OpenVPN) included use the certificates Common Name to do certain things. The file had been renamed so that it did not match the common name. This easuly allows you to see what the CN actually is for a given certificate and not have to assume that the file name matches the CN.