OpenSSL Self-Signed Certificate Components

Q

How to identify and read each component of a self-signed certificate in OpenSSL "x509 -text" command output?

✍: FYIcenter.com

A

OpenSSL "x509 -text" command output displays all components in a self-signed certificate with proper labels to help you identify each component.

Below is a good example of the "x509 -text" command output:

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> x509 -in rsa_test.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ef:25:6c:16:2f:ec:30:b6
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=us, ST=NY, L=New York, O=Donald Inc., 
                OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc
        Validity
            Not Before: Aug 21 11:46:53 2016 GMT
            Not After : Sep 20 11:46:53 2016 GMT
        Subject: C=us, ST=NY, L=New York, O=Donald Inc., 
                 OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (512 bit)
                Modulus:
                    00:a5:71:05:d4:1f:88:8c:e5:5f:0c:6f:83:7f:8a:
                    68:3a:99:a5:a9:18:af:bd:47:73:c7:ab:b7:f4:09:
                    b6:a0:64:9e:e7:4c:92:7f:5e:1d:7a:f0:7e:6e:61:
                    2e:ed:e1:aa:c5:2b:ee:96:7d:e4:14:44:2b:fa:af:
                    7f:47:da:9c:ef
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                09:E5:65:C1:3D:0A:13:23:FE:20:73:8F:2D:98:C1:E9:F2:ED:D4:71
            X509v3 Authority Key Identifier:
                keyid:09:E5:65:C1:3D:0A:13:23:FE:20:73:8F:2D:98:C1:E9:F2:ED:D4:71

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         40:1d:b5:7e:eb:a9:89:a1:e3:18:d3:ca:9e:51:03:2e:ee:9a:
         16:52:6e:87:d6:a8:cc:a2:47:29:18:11:f6:cb:5a:99:fb:15:
         63:0d:f7:7b:33:4c:0a:78:4d:5d:87:48:19:f9:74:26:da:1a:
         f2:8f:77:d4:07:e7:7d:a9:99:64

You can read the above output as the following:

The version number of X509 standard used in this certificate is 3 (binary value is 2, but it represents version 3):

        Version: 3 (0x2)

The serial number of this certificate is ef:25:6c:16:2f:ec:30:b6, which uniquely identifies this certificate among all certificates signed by issuer:

        Serial Number:
            ef:25:6c:16:2f:ec:30:b6

The digital signature algorithm used to sign this certificate is SHA256 with an RSA private key:

    Signature Algorithm: sha256WithRSAEncryption

The entity name of the issuer who signed this certificate:

        Issuer: C=us, ST=NY, L=New York, O=Donald Inc., 
                OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc

The validity date range of this certificate:

        Validity
            Not Before: Aug 21 11:46:53 2016 GMT
            Not After : Sep 20 11:46:53 2016 GMT

The entity name of the subject whose public key is being certified (the subject is the same as the issuer in the case of a self-signed certificate):

        Subject: C=us, ST=NY, L=New York, O=Donald Inc., 
                 OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc

The public key algorithm and public key itself being certified:

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (512 bit)
                Modulus:
                    00:a5:71:05:d4:1f:88:8c:e5:5f:0c:6f:83:7f:8a:
                    68:3a:99:a5:a9:18:af:bd:47:73:c7:ab:b7:f4:09:
                    b6:a0:64:9e:e7:4c:92:7f:5e:1d:7a:f0:7e:6e:61:
                    2e:ed:e1:aa:c5:2b:ee:96:7d:e4:14:44:2b:fa:af:
                    7f:47:da:9c:ef
                Exponent: 65537 (0x10001)

The additional information included in the certification:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
                09:E5:65:C1:3D:0A:13:23:FE:20:73:8F:2D:98:C1:E9:F2:ED:D4:71
            X509v3 Authority Key Identifier:
                keyid:09:E5:65:C1:3D:0A:13:23:FE:20:73:8F:2D:98:C1:E9:F2:ED:D4:71

            X509v3 Basic Constraints:
                CA:TRUE

The digital signature algorithm and digital signature itself:

    Signature Algorithm: sha256WithRSAEncryption
         40:1d:b5:7e:eb:a9:89:a1:e3:18:d3:ca:9e:51:03:2e:ee:9a:
         16:52:6e:87:d6:a8:cc:a2:47:29:18:11:f6:cb:5a:99:fb:15:
         63:0d:f7:7b:33:4c:0a:78:4d:5d:87:48:19:f9:74:26:da:1a:
         f2:8f:77:d4:07:e7:7d:a9:99:64

 

OpenSSL "req -x509" - Sign My Own CSR

OpenSSL "req -x509 -newkey" - Generate Private Key and Certificate

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-11-08, 614👍, 0💬