I used a certificate based VPN (OpenVPN) at both home and work. I also wrote a nice little packager script around
easy-rsa so that I can do something like
./new-client jdoe 'Jon Doe' and it will generate and sign the certificates for me, then package them up into a single file so that I can deploy keys easily.
To do this easily the
new-client package script renames the client
.key files to generic names so you can not tell from the file name what a certificate's CN is.
Output from an
easy-rsa issued certificate:
$ openssl x509 -subject -dates -fingerprint -noout -in mickey.crt subject= /C=US/ST=FL/L=Orlando/O=Disney/CN=mmouse/name=Mickey Mouse notBefore=Aug 9 16:20:06 2012 GMT notAfter=Aug 7 16:20:06 2022 GMT SHA1 Fingerprint=11:25:1C:9E:19:FE:2A:47:3F:E7:0D:42:B0:5E:CD:E7:B4:A9:C8:98
Or perhaps you have a web certificate that you can't remember where it goes. As long as it is an x509 cert then it will work:
$ openssl x509 -subject -dates -fingerprint -noout -in star_acme_com.crt subject= /C=US/ST=Florida/L=Orlando/O=ACME INC/CN=*.acme.com notBefore=Nov 29 00:00:00 2011 GMT notAfter=Dec 3 12:00:00 2012 GMT SHA1 Fingerprint=C1:42:DD:81:7C:74:83:91:33:AC:C6:54:1E:5C:BC:06:F3:B1:08:77
The Mickey example is especially interesting because most tools (OpenVPN) included use the certificates Common Name to do certain things. The file had been renamed so that it did not match the common name. This easuly allows you to see what the CN actually is for a given certificate and not have to assume that the file name matches the CN.