从命令行读取 SSL 证书的内容
虽然可以在大多数现代浏览器中查看SSL证书的内容,但我偶尔会发现需要使用命令行来查找相同的信息。我发现这在更新证书时很有用,因为浏览器有时会缓存证书的时间比预期的要长,从而导致错误的结果。
以下命令连接到服务器,从端口443下载SSL证书,然后使用openssl工具将证书中的信息提取为可读格式。
echo|openssls_client-showcerts-servernameexample.com-connectexample.com:4432>/dev/null|opensslx509-informpem-noout-text
这会产生以下输出。
Certificate: Data: Version: 3 (0x2) Serial Number: 0f:d0:78:dd:48:f1:a2:bd:4d:0f:2b:a9:6b:60:38:fe Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA Validity Not Before: Nov 28 00:00:00 2018 GMT Not After : Dec 2 12:00:00 2020 GMT Subject: C=US, ST=California, L=Los Angeles, O=Internet Corporation for Assigned Names and Numbers, OU=Technology, CN=www.example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d0:f0:12:74:a0:96:20:72:08:65:19:12:5a:5d: 4a:d0:3a:8c:66:8f:a0:29:2b:a7:db:d5:ac:0c:cf: a5:71:92:15:42:15:b0:07:92:76:31:75:d7:27:8e: 4d:50:6a:75:d1:7b:53:5e:27:aa:ed:eb:a4:60:3a: f2:8e:45:18:6b:45:33:5c:85:11:aa:20:12:fe:60: ac:9d:4c:45:8f:dd:d3:0e:3e:77:0f:09:c2:85:65: 34:c7:22:fb:74:13:b9:42:9f:f7:21:f6:f0:9c:44: 74:6d:c9:df:b3:1f:8f:60:b7:71:11:06:90:63:41: 9d:8f:34:7b:24:49:46:ac:f2:f0:8d:0b:48:f4:d3: 92:1a:f7:a2:45:ee:cc:e5:d7:83:7f:2e:82:bd:71: dd:28:19:58:33:6e:11:a1:3a:a0:6a:72:60:92:01: 59:9f:63:17:7a:49:42:7b:9c:3f:db:d3:05:e8:cc: 87:7e:f8:aa:fc:9d:d1:05:50:ab:75:b1:1e:ba:20: cb:89:d4:6d:6c:37:82:28:4c:c5:3f:7c:c1:10:f5: a0:a5:66:6b:53:53:c9:db:ed:85:c3:6d:05:f8:64: a7:c9:0e:eb:8f:e1:c4:b1:eb:2d:68:0e:15:3f:e5: e2:dc:fc:21:64:2d:ee:69:2b:04:78:db:77:65:cb: 54:f9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2 X509v3 Subject Key Identifier: 66:98:62:02:E0:09:91:A7:D9:E3:36:FB:76:C6:B0:BF:A1:6D:A7:BE X509v3 Subject Alternative Name: DNS:www.example.org, DNS:example.com, DNS:example.edu, DNS:example.net, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/ssca-sha2-g6.crl Full Name: URI:http://crl4.digicert.com/ssca-sha2-g6.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.1 CPS: https://www.digicert.com/CPS Policy: 2.23.140.1.2.2 Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt X509v3 Basic Constraints: critical CA:FALSE 1.3.6.1.4.1.11129.2.4.2: ...k.i.w.......X......gp .....g\1.F.....H0F.!..d..!...H.v.K.F.W'..{.;.JWBl...l.!.....0.d..L|nXSW....EO..F..p...BB.v..u..Y|..C._..n.V.GV6.J.`....^......g\1.......G0E. [email protected]/..f.._s.H.P..!....H.....D%.<...+.|..'{..X....JN.v.oSv.1.1.....Q..w.....}..c).-. MwZ.I.J.h..a... .1....q.C.....O...z....D;.... [.V.=,r. Signature Algorithm: sha256WithRSAEncryption 73:70:85:ef:40:41:a7:6a:43:d5:78:9c:7b:55:48:e6:bc:6b: 99:86:ba:fb:0d:03:8b:78:fe:11:f0:29:a0:0c:cd:69:14:0b: c6:04:78:b2:ce:f0:87:d5:01:9d:c4:59:7a:71:fe:f0:6e:9e: c1:a0:b0:91:2d:1f:ea:3d:55:c5:33:05:0c:cd:c1:35:18:b0: 6a:68:66:4c:bf:56:21:da:5b:d9:48:b9:8c:35:21:91:5d:dc: 75:d7:7a:46:2c:22:27:a6:6f:d3:3a:17:eb:be:bd:13:c5:12: 26:73:c0:5d:a3:35:89:6a:fb:27:d4:dd:aa:74:74:2e:37:e5: 01:3b:a6:d0:30:b0:83:d0:a1:c4:75:21:85:b2:e5:fa:67:00: 30:a2:bc:53:83:4d:bf:d6:a8:83:bb:bc:d6:ed:1c:b3:1e:f1: 58:03:82:00:8e:9c:ef:90:f2:1a:5f:a2:a3:06:da:5d:be:9f: da:5d:a6:e6:2f:de:58:80:18:d3:f1:62:7b:a6:a3:9f:ae:a8: 69:72:63:81:65:ae:82:83:a3:b5:97:8a:9b:20:51:ff:1a:3f: 61:40:1e:48:d0:6b:38:f9:e1:fa:17:d8:77:4a:88:e6:3d:36: 24:4f:ef:0a:b9:9f:70:f3:83:27:f8:cf:2a:05:75:10:a1:8a: 0a:80:88:cd