如何检查SSL/TLS证书的使用者备用名称? [英] How to Check Subject Alternative Names for a SSL/TLS Certificate?

问题描述

是否可以通过编程方式检查SAN SSL证书的使用者备用名称?

Is there a way to programmatically check the Subject Alternative Names of a SAN SSL cert?

例如，使用以下命令，我可以获得很多信息，但不是所有的SAN:

Using, for instance, the following command I can get many info but not all the SANs:

openssl s_client -connect www.website.com:443 

非常感谢！

推荐答案

要获取证书的主题备用名称(SAN)，请使用以下命令:

To get the Subject Alternative Names (SAN) for a certificate, use the following command:

openssl s_client -connect website.com:443 | openssl x509 -noout -text | grep DNS:

---

首先，此命令连接到我们想要的站点(website.com，SSL的端口443):

---

First, this command connects to the site we want (website.com, port 443 for SSL):

openssl s_client -connect website.com:443

然后通过管道(|)将其插入此命令:

Then pipe (|) that into this command:

openssl x509 -noout -text

这将获取证书文件并输出其所有多汁的详细信息. -noout标志可阻止它输出我们不需要的(base64编码)证书文件本身. -text标志告诉它以文本形式输出证书详细信息.

This takes the certificate file and outputs all its juicy details. The -noout flag keeps it from outputting the (base64-encoded) certificate file itself, which we don't need. The -text flag tells it to output the certificate details in text form.

通常会有很多我们不关心的输出(签名，发行者，扩展等)，因此我们将 that 传递到一个简单的grep中:

Normally there's a whole lot of output (signature, issuer, extensions, etc) that we don't care about, so then we pipe that into a simple grep:

grep DNS:

由于SAN条目以DNS:开头，因此仅返回包含该条目的行，从而去除所有其他信息，并为我们提供所需的信息.

Since the SAN entries begin with DNS: this simply returns only the lines that contain that, stripping out all the other info and leaving us with the desired information.

您可能会注意到该命令不会干净退出； openssl s_client实际上充当客户端，并使连接保持打开状态，等待输入.如果您希望它立即退出(例如，在shell脚本中解析输出)，只需将echo用管道输送到其中:

You may note that the command does not cleanly exit; openssl s_client actually acts as a client and leaves the connection open, waiting for input. If you want it to immediately exit (e.g. to parse the output in a shell script) simply pipe echo into it:

echo | openssl s_client -connect website.com:443 | openssl x509 -noout -text | grep DNS:

如何直接从文件获取SAN?

为此，您不需要openssl s_client命令.只需在openssl x509命令上添加-in MyCertificate.crt，然后再次通过grep传递管道，例如:

How do I get the SAN directly from a file?

For this, you don't need the openssl s_client command. Just add -in MyCertificate.crt on the openssl x509 command and once again pipe through grep, e.g.:

openssl x509 -noout -text -in MyCertificate.crt | grep DNS:

这篇关于如何检查SSL/TLS证书的使用者备用名称?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！