How to get certificate common name from PEM file
Various articles online have lead me to believe that a server certificate's common name must be an exact match to the root URL it is valid for. However, when I look at a bunch of the files in /etc/ssl/certs, via the command openssl x509 -inform PEM -in <certfile.pem> -text
, I see that the CN value is generally a human readable description of the site (e.g. "Google Internet Authority"), not a domain name. In fact, I can't see anything in any of the files that looks like a domain name or ip address, either in them or in the output from openssl s_client -connect <ip>
.
So, is my understanding of 'common name' incorrect? How do I retrieve the url from the certificate, for which the certificate is valid?
Solution 1:
Yes and no. You are correct (barring some additional details) for server certificates. However the certificates in /etc/ssl/certs are intermediate and root CA certificates and not server certificates. That is they aren't used for server identification directly. As such they don't have that matching concern.
Server certificates, the ones that servers actually present to the client, do have the matching concern and are what you see in the first certificate you get when you connect. If you look at the other certificates in the chain openssl builds (and spits out to you) you will see references to the /etc/ssl/certs style of certificates.
The CN itself may not match if one of the alternate fields defined as being legal matches matches instead. Among the methods for adding additional valid names for certificate matching is the use of a subjectAltName extension with the dNSName type which then specifies what the valid name to match against is (at least for HTTPS purposes). There are others for other purposes as well.