如何检查SSL/TLS证书的使用者备用名称? [英] How to Check Subject Alternative Names for a SSL/TLS Certificate?
问题描述
是否可以通过编程方式检查SAN SSL证书的使用者备用名称?
Is there a way to programmatically check the Subject Alternative Names of a SAN SSL cert?
例如,使用以下命令,我可以获得很多信息,但不是所有的SAN:
Using, for instance, the following command I can get many info but not all the SANs:
openssl s_client -connect www.website.com:443
非常感谢!
推荐答案
要获取证书的主题备用名称(SAN),请使用以下命令:
To get the Subject Alternative Names (SAN) for a certificate, use the following command:
openssl s_client -connect website.com:443 | openssl x509 -noout -text | grep DNS:
首先,此命令连接到我们想要的站点(website.com,SSL的端口443):
First, this command connects to the site we want (website.com, port 443 for SSL):
openssl s_client -connect website.com:443
然后通过管道(|
)将其插入此命令:
Then pipe (|
) that into this command:
openssl x509 -noout -text
这将获取证书文件并输出其所有多汁的详细信息. -noout
标志可阻止它输出我们不需要的(base64编码)证书文件本身. -text
标志告诉它以文本形式输出证书详细信息.
This takes the certificate file and outputs all its juicy details. The -noout
flag keeps it from outputting the (base64-encoded) certificate file itself, which we don't need. The -text
flag tells it to output the certificate details in text form.
通常会有很多我们不关心的输出(签名,发行者,扩展等),因此我们将 that 传递到一个简单的grep中:
Normally there's a whole lot of output (signature, issuer, extensions, etc) that we don't care about, so then we pipe that into a simple grep:
grep DNS:
由于SAN条目以DNS:
开头,因此仅返回包含该条目的行,从而去除所有其他信息,并为我们提供所需的信息.
Since the SAN entries begin with DNS:
this simply returns only the lines that contain that, stripping out all the other info and leaving us with the desired information.
您可能会注意到该命令不会干净退出; openssl s_client
实际上充当客户端,并使连接保持打开状态,等待输入.如果您希望它立即退出(例如,在shell脚本中解析输出),只需将echo
用管道输送到其中:
You may note that the command does not cleanly exit; openssl s_client
actually acts as a client and leaves the connection open, waiting for input. If you want it to immediately exit (e.g. to parse the output in a shell script) simply pipe echo
into it:
echo | openssl s_client -connect website.com:443 | openssl x509 -noout -text | grep DNS:
如何直接从文件获取SAN?
为此,您不需要openssl s_client
命令.只需在openssl x509
命令上添加-in MyCertificate.crt
,然后再次通过grep传递管道,例如:
How do I get the SAN directly from a file?
For this, you don't need the openssl s_client
command. Just add -in MyCertificate.crt
on the openssl x509
command and once again pipe through grep, e.g.:
openssl x509 -noout -text -in MyCertificate.crt | grep DNS:
这篇关于如何检查SSL/TLS证书的使用者备用名称?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!