21

Is there a way to list all domains on an SAN/UCC SSL Certificate (ideally using command line on linux/os x)?

Clearly there must be some way to extract the data, since browsers can do it. Unfortunately, I can see the list but can't cut and paste it.

Jordan Reiter
  • 1,290
  • 4
  • 20
  • 40

5 Answers5

33
openssl x509 -text < $CERT_FILE

#=>

. . .
                DNS: . . .
. . .

where $CERT_FILE can have either the .pem or .crt extension.

Shell functions for viewing cert. files and checking that a cert. & key file match can be found here.

Mike
  • 107
  • 4
Dan Pritts
  • 3,221
  • 26
  • 28
  • 3
    For posterity, this is the full command I used, since I was doing it for another server: `openssl s_client -showcerts -connect www.example.org:443 | openssl x509 -text` – Jordan Reiter Sep 10 '12 at 13:39
  • 4
    To get a clean space delimited list of domains you can pass it through grep and sed like so `openssl x509 -text < $CRT | grep 'DNS:' | sed 's/\s*DNS:\([a-z0-9.\-]*\)[,\s]\?/\1 /g'` – Geoffrey Apr 28 '17 at 08:49
  • You don't need the `grep`. `sed` can do the selecting for you: `openssl x509 -text < $CRT | sed -n 's/\s*DNS:\([a-z0-9.\-]*\)[,\s]\?/\1 /gp'` – Tilman Schmidt Sep 09 '22 at 07:02
17

You can list the domains with this command (tested on linux):

cat cert.pem | openssl x509 -text | grep DNS
panticz
  • 771
  • 7
  • 5
5

If you just want to see the SANs, grep DNS: is the obvious solution.

If you want to have a cleaner list to process further, you can use this Perl regex to extract just the names : @names=/\sDNS:([^\s,]+)/g

For example:

true | openssl s_client -connect example.com:443 2>/dev/null \
| openssl x509 -noout -text \
| perl -l -0777 -ne '@names=/\bDNS:([^\s,]+)/g; print join("\n", sort @names);'

Which would output this:

example.com
example.edu
example.net
example.org
www.example.com
www.example.edu
www.example.net
www.example.org

So you could pipe that to while read name; do echo "processing $name ..."; done etc.

Or for a comma-separated list on one line, replace join("\n", with join(",",

(The -0777 switch for perl makes it read the whole input at once instead of line by line)

mivk
  • 4,004
  • 3
  • 37
  • 32
1

if you'd like to limit dependencies to openssl, grep, sed and tr and still have easily parseable/iterable output:

  • space separated list: 
    $ openssl x509 -text -in cert.pem | grep DNS | sed s/DNS://g | tr -d ' ' | tr , ' '
    output: 
    example.com example.org www.example.com www.example.org
  • newline separated list: 
    $ openssl x509 -text -in cert.pem | grep DNS | sed s/DNS://g | tr -d ' ' | tr , \\n
    output: 
    example.com
example.org
www.example.com
www.example.org
  • comma separated list: 
    $ openssl x509 -text -in cert.pem | grep DNS | sed s/DNS://g | tr -d ' '
    output: 
    example.com,example.org,www.example.com,www.example.org

what's going on here?

  • openssl x509 -text -in cert.pem produces human readable cert information
  • grep DNS extracts lines containing the string: DNS
  • sed s/DNS://g removes all occurrences of: DNS:
  • tr -d ' ' removes all space characters
  • tr , ' ' replaces all coma characters with a space character
  • tr , \\n replaces all coma characters with a newline character
  • | the pipe operator passes standard output from the command preceding the pipe to standard input of the command following it
grenade
  • 312
  • 1
  • 3
  • 8
  • 1
    The `grep` and `tr` commands are unnecessary if you already have an `sed` process running in your pipe. `sed` can do everything they can. – Tilman Schmidt Sep 09 '22 at 07:15
0

This will show all Alternative domains in certificate (needed by all browsers today)

openssl x509 -text -noout < fullchain.pem | grep DNS

The answer will be like this

DNS:*.example.ru, DNS:example.ru
Dmitriy
  • 1
  • 1