OpenSSL Self-Signed Certificate Components
How to identify and read each component of a self-signed certificate in OpenSSL "x509 -text" command output?
✍: FYIcenter.com
OpenSSL "x509 -text" command output displays all components in a self-signed certificate
with proper labels to help you identify each component.
Below is a good example of the "x509 -text" command output:
C:\Users\fyicenter>\local\openssl\openssl.exe
OpenSSL> x509 -in rsa_test.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ef:25:6c:16:2f:ec:30:b6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=us, ST=NY, L=New York, O=Donald Inc.,
OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc
Validity
Not Before: Aug 21 11:46:53 2016 GMT
Not After : Sep 20 11:46:53 2016 GMT
Subject: C=us, ST=NY, L=New York, O=Donald Inc.,
OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:a5:71:05:d4:1f:88:8c:e5:5f:0c:6f:83:7f:8a:
68:3a:99:a5:a9:18:af:bd:47:73:c7:ab:b7:f4:09:
b6:a0:64:9e:e7:4c:92:7f:5e:1d:7a:f0:7e:6e:61:
2e:ed:e1:aa:c5:2b:ee:96:7d:e4:14:44:2b:fa:af:
7f:47:da:9c:ef
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
09:E5:65:C1:3D:0A:13:23:FE:20:73:8F:2D:98:C1:E9:F2:ED:D4:71
X509v3 Authority Key Identifier:
keyid:09:E5:65:C1:3D:0A:13:23:FE:20:73:8F:2D:98:C1:E9:F2:ED:D4:71
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
40:1d:b5:7e:eb:a9:89:a1:e3:18:d3:ca:9e:51:03:2e:ee:9a:
16:52:6e:87:d6:a8:cc:a2:47:29:18:11:f6:cb:5a:99:fb:15:
63:0d:f7:7b:33:4c:0a:78:4d:5d:87:48:19:f9:74:26:da:1a:
f2:8f:77:d4:07:e7:7d:a9:99:64
You can read the above output as the following:
The version number of X509 standard used in this certificate is 3 (binary value is 2, but it represents version 3):
Version: 3 (0x2)
The serial number of this certificate is ef:25:6c:16:2f:ec:30:b6, which uniquely identifies this certificate among all certificates signed by issuer:
Serial Number:
ef:25:6c:16:2f:ec:30:b6
The digital signature algorithm used to sign this certificate is SHA256 with an RSA private key:
Signature Algorithm: sha256WithRSAEncryption
The entity name of the issuer who signed this certificate:
Issuer: C=us, ST=NY, L=New York, O=Donald Inc.,
OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc
The validity date range of this certificate:
Validity
Not Before: Aug 21 11:46:53 2016 GMT
Not After : Sep 20 11:46:53 2016 GMT
The entity name of the subject whose public key is being certified (the subject is the same as the issuer in the case of a self-signed certificate):
Subject: C=us, ST=NY, L=New York, O=Donald Inc.,
OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc
The public key algorithm and public key itself being certified:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:a5:71:05:d4:1f:88:8c:e5:5f:0c:6f:83:7f:8a:
68:3a:99:a5:a9:18:af:bd:47:73:c7:ab:b7:f4:09:
b6:a0:64:9e:e7:4c:92:7f:5e:1d:7a:f0:7e:6e:61:
2e:ed:e1:aa:c5:2b:ee:96:7d:e4:14:44:2b:fa:af:
7f:47:da:9c:ef
Exponent: 65537 (0x10001)
The additional information included in the certification:
X509v3 extensions:
X509v3 Subject Key Identifier:
09:E5:65:C1:3D:0A:13:23:FE:20:73:8F:2D:98:C1:E9:F2:ED:D4:71
X509v3 Authority Key Identifier:
keyid:09:E5:65:C1:3D:0A:13:23:FE:20:73:8F:2D:98:C1:E9:F2:ED:D4:71
X509v3 Basic Constraints:
CA:TRUE
The digital signature algorithm and digital signature itself:
Signature Algorithm: sha256WithRSAEncryption
40:1d:b5:7e:eb:a9:89:a1:e3:18:d3:ca:9e:51:03:2e:ee:9a:
16:52:6e:87:d6:a8:cc:a2:47:29:18:11:f6:cb:5a:99:fb:15:
63:0d:f7:7b:33:4c:0a:78:4d:5d:87:48:19:f9:74:26:da:1a:
f2:8f:77:d4:07:e7:7d:a9:99:64
⇒ OpenSSL "req -x509" - Sign My Own CSR
⇐ OpenSSL "req -x509 -newkey" - Generate Private Key and Certificate
2016-11-08, 680👍, 0💬
Related Topics: