Certificates don’t look like much in a text editor, but they contain a great deal of information; you just need to know how to unpack it. The
x509 command does just that, so let’s use it to look at the self-signed certificates you generated.
In the following example, I use the
-text switch to print certificate contents and
-noout to reduce clutter by not printing the encoded certificate itself (which is the default behavior):
$ openssl x509 -text -in fd.crt -noout Certificate: Data: Version: 3 (0x2) Serial Number: 76:bc:fb:f6:06:0e:61:eb:99:5e:83:ea:ef:92:0b:32:4f:fd:3b:51 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = GB, L = London, O = Feisty Duck Ltd, CN = www.feistyduck.com Validity Not Before: Aug 15 09:31:54 2020 GMT Not After : Aug 15 09:31:54 2021 GMT Subject: C = GB, L = London, O = Feisty Duck Ltd, CN = www.feistyduck.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:8a:d5:de:69:30:c7:77:b0:a0:54:f7:b3:34:9a: 96:1c:23:81:e3:9c:0c:81:a6:8a:a5:14:76:f4:4c: b3:10:cb:ee:50:d1:ea:70:e9:7f:8f:75:67:f9:12: 83:b0:11:e7:6c:64:de:bc:af:bd:3f:43:da:b8:41: 96:75:34:63:85 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.feistyduck.com, DNS:feistyduck.com Signature Algorithm: ecdsa-with-SHA256 30:45:02:20:4d:36:34:cd:e9:3e:df:18:52:e7:74:c4:a1:97: 91:6a:e7:c1:6d:12:01:63:d1:fd:90:28:32:70:24:5c:be:35: 02:21:00:bd:02:64:c9:8b:27:8f:79:c7:a4:41:7c:31:2f:98: 29:3e:db:8c:f3:f1:d7:bb:fa:fe:95:48:be:16:e1:ab:1b
Self-signed certificates usually contain only the most basic certificate data, and most of it is self-explanatory. In essence, there’s the main body of the certificate, to which a signature is added. By comparison, certificates issued by public CAs are much more interesting, as they contain a number of additional fields (via the X.509 extension mechanism).