1.2.7 Examining Certificates
Certificates don’t look like much in a text editor, but they contain a great deal of information; you just need to know how to unpack it. The x509 command does just that, so let’s use it to look at the self-signed certificates you generated.
In the following example, I use the -text switch to print certificate contents and -noout to reduce clutter by not printing the encoded certificate itself (which is the default behavior):
$ openssl x509 -text -in fd.crt -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
76:bc:fb:f6:06:0e:61:eb:99:5e:83:ea:ef:92:0b:32:4f:fd:3b:51
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = GB, L = London, O = Feisty Duck Ltd, CN = www.feistyduck.com
Validity
Not Before: Aug 15 09:31:54 2020 GMT
Not After : Aug 15 09:31:54 2021 GMT
Subject: C = GB, L = London, O = Feisty Duck Ltd, CN = www.feistyduck.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:8a:d5:de:69:30:c7:77:b0:a0:54:f7:b3:34:9a:
96:1c:23:81:e3:9c:0c:81:a6:8a:a5:14:76:f4:4c:
b3:10:cb:ee:50:d1:ea:70:e9:7f:8f:75:67:f9:12:
83:b0:11:e7:6c:64:de:bc:af:bd:3f:43:da:b8:41:
96:75:34:63:85
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.feistyduck.com, DNS:feistyduck.com
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:4d:36:34:cd:e9:3e:df:18:52:e7:74:c4:a1:97:
91:6a:e7:c1:6d:12:01:63:d1:fd:90:28:32:70:24:5c:be:35:
02:21:00:bd:02:64:c9:8b:27:8f:79:c7:a4:41:7c:31:2f:98:
29:3e:db:8c:f3:f1:d7:bb:fa:fe:95:48:be:16:e1:ab:1bSelf-signed certificates usually contain only the most basic certificate data, and most of it is self-explanatory. In essence, there’s the main body of the certificate, to which a signature is added. By comparison, certificates issued by public CAs are much more interesting, as they contain a number of additional fields (via the X.509 extension mechanism).