如何检查 SSL/TLS 证书的主题备用名称? [英] How to Check Subject Alternative Names for a SSL/TLS Certificate?

问题描述

有没有办法以编程方式检查 SAN SSL 证书的主题备用名称?

Is there a way to programmatically check the Subject Alternative Names of a SAN SSL cert?

例如，使用以下命令我可以获得很多信息，但不是所有的 SAN:

Using, for instance, the following command I can get many info but not all the SANs:

openssl s_client -connect www.website.com:443 

非常感谢！

推荐答案

要获取证书的主题备用名称 (SAN)，请使用以下命令:

To get the Subject Alternative Names (SAN) for a certificate, use the following command:

openssl s_client -connect website.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:

---

首先，此命令连接到我们想要的站点(website.com，SSL 端口 443):

---

First, this command connects to the site we want (website.com, port 443 for SSL):

openssl s_client -connect website.com:443

然后通过管道 (|) 将其导入此命令:

Then pipe (|) that into this command:

openssl x509 -noout -text

这将获取证书文件并输出其所有详细信息.-noout 标志阻止它输出我们不需要的(base64 编码的)证书文件本身.-text 标志告诉它以文本形式输出证书详细信息.

This takes the certificate file and outputs all its juicy details. The -noout flag keeps it from outputting the (base64-encoded) certificate file itself, which we don't need. The -text flag tells it to output the certificate details in text form.

通常有很多我们不关心的输出(签名、发行者、扩展等)，所以我们将那些传送到一个简单的 grep 中:

Normally there's a whole lot of output (signature, issuer, extensions, etc) that we don't care about, so then we pipe that into a simple grep:

grep DNS:

由于 SAN 条目以 DNS: 开头，因此仅返回包含该内容的行，去除所有其他信息并为我们留下所需的信息.

Since the SAN entries begin with DNS: this simply returns only the lines that contain that, stripping out all the other info and leaving us with the desired information.

您可能会注意到该命令并没有完全退出；openssl s_client 实际上充当客户端并保持连接打开，等待输入.如果您希望它立即退出(例如，解析 shell 脚本中的输出)，只需将 echo 用管道输送到其中:

You may note that the command does not cleanly exit; openssl s_client actually acts as a client and leaves the connection open, waiting for input. If you want it to immediately exit (e.g. to parse the output in a shell script) simply pipe echo into it:

echo | openssl s_client -connect website.com:443 | openssl x509 -noout -text | grep DNS:

如何直接从文件中获取 SAN?

为此，您不需要 openssl s_client 命令.只需在 openssl x509 命令上添加 -in MyCertificate.crt 并再次通过 grep，例如:

How do I get the SAN directly from a file?

For this, you don't need the openssl s_client command. Just add -in MyCertificate.crt on the openssl x509 command and once again pipe through grep, e.g.:

openssl x509 -noout -text -in MyCertificate.crt | grep DNS:

这篇关于如何检查 SSL/TLS 证书的主题备用名称?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！