How to view all ssl certificates in a bundle?
I have a certificate bundle .crt file.
doing openssl x509 -in bundle.crt -text -noout only shows the root certificate.
how do i see all the other certificates?
Solution 1:
http://comments.gmane.org/gmane.comp.encryption.openssl.user/43587 suggests this one-liner:
openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -text -noout
It indeed worked for me, but I don't understand the details so can't say if there are any caveats.
Solution 2:
Java's keytool does the trick:
keytool -printcert -v -file <certs.crt>
Annotation: Windows doubleclick does not work. Windows reads only the first certificate in the keystore and automatically extends the trustchain from its built in certificate store.
Results:
- All beyond the first certificate in the
.crtfile are not shown - You may get a different trustchain displayed than you have in the
.crtfile. This may lead to wrong conclusions.
Solution 3:
Following this FAQ led me to this perl script, which very strongly suggests to me that openssl has no native support for handling the nth certificate in a bundle, and that instead we must use some tool to slice-and-dice the input before feeding each certificate to openssl. This perl script, freely adapted from Nick Burch's script linked above, seems to do the job:
#!/usr/bin/perl
# script for splitting multi-cert input into individual certs
# Artistic Licence
#
# v0.0.1 Nick Burch <[email protected]>
# v0.0.2 Tom Yates <[email protected]>
#
$filename = shift;
unless($filename) {
die("You must specify a cert file.\n");
}
open INP, "<$filename" or die("Unable to load \"$filename\"\n");
$thisfile = "";
while(<INP>) {
$thisfile .= $_;
if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) {
print "Found a complete certificate:\n";
print `echo \'$thisfile\' | openssl x509 -noout -text`;
$thisfile = "";
}
}
close INP;