27

I can use the following command to display the certificate in a PEM file:

openssl x509 -in cert.pem -noout -text

But it will only display the information of the first certificate. A PEM file may also contain a certificate chain. How can I display all contained certificates?

stackprotector
  • 500

3 Answers3

41

The openssl command (specifically, its openssl x509 subcommand, among others) is polite with its data stream: once it reads data, it doesn't read more than it needs.

This allows to chain multiple openssl commands like this:

while openssl x509 -noout -text; do :; done < cert-bundle.pem

This will display all bundled certs in the file cert-bundle.pem (and end with an error: when there's no more input available, but that's just to show how it's working).

Tomasz Gandor
  • 128
  • 6
A.B
  • 36,364
  • 2
  • 73
  • 118
  • Can you explain, what exactly this loop does? Am I right, that this will only work as long openssl will not read the input as a whole, but line by line until it is able to read one certificate, so that it reads one certificate at each iteration? – stackprotector Mar 22 '22 at 07:08
  • 1
    @stackprotector I'm stating openssl always read the minimal information. This property allows to chain multiple times openssl when receiving more than one cert. Other example: openssl s_client -connect unix.stackexchange.com:443 -showcerts </dev/null | while openssl x509 -noout -subject 2>/dev/null; do : ; done to display only cert names from unix.stackexchange.com (server's + 1 intermediate). This property can also be used with other use cases to build dynamic configuration for CSR: openssl req ... -config <(some commands) (using bash). But I don't know if it's explicitly documented. – A.B Mar 22 '22 at 13:22
  • I mean that openssl behaves well with input data, it doesn't attempt to seek (in the lseek(2) meaning) nor to consume data that won't be used. – A.B Mar 22 '22 at 13:25
  • This type of code is hard to read, hard to extend. Could it be changed so that there's no code executed inside of the while loop condition? (For example, so I could do something with the output other than print it to the console). – aphid Nov 02 '22 at 09:22
  • @aphid It's to showcase its use. I explained how it's behaving (not flushing the input) and gave an illustration. It's up to you to do something useful of it. Sorry you didn't find this answer useful. – A.B Nov 02 '22 at 12:49
  • Let me give an example. Say I want to see only the first 10 lines of the openssl output (for each cert). I can't pipe the output to 'head' or try to put it in a variable, that makes the code cause errors. It's given as-is, I don't understand how it works. Not the openssl part, the BASH part. Bash syntax is notoriously nasty. I've just spent the last 4 hours trying to do this simple thing, gave up and wrote a program instead. – aphid Nov 02 '22 at 13:26
  • @aphid I have a file in PEM file which has both public and private keys. I want just the public keys in X509 format. So I used A.B.'s idea and extended it a little, and perhaps it will help you understand. while openssl x509 -outform pem ; do :; done < all_ca_certs.pem >> all_ca_certs_2.crt The way this works is that the openssl command reads all of the input it needs from all_ca_certs.pem and then exits. Because the output is redirected (actually appended) to all_ca_certs_2.crt. Then the loop starts the next iteration. openssl reads as much as it needs and exits. – user1928764 Dec 30 '22 at 23:30
17

Seems like PEM format is not handled very well with more than one certificate. Based on this answer:

openssl crl2pkcs7 -nocrl -certfile cert.pem | openssl pkcs7 -print_certs -text -noout

it first convert to pkcs7 and then display it

Romeo Ninov
  • 17,484
-2
openssl pkcs12 -in cert.p12 -cacerts -nodes -nokeys > rootcert.pem

also, you could try to use KeyStore Explorer

Dmytro Berezovskyi
  • 7