19

I can use the following command to display the certificate in a PEM file:

openssl x509 -in cert.pem -noout -text

But it will only display the information of the first certificate. A PEM file may also contain a certificate chain. How can I display all contained certificates?

stackprotector
  • 400
  • 2
  • 3
  • 17
  • Effectively dupe https://unix.stackexchange.com/questions/97244/list-all-available-ssl-ca-certificates and https://unix.stackexchange.com/questions/366898/generate-hpkp-fingerprints-for-all-certificate-chain/ and crossdupe https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle and https://serverfault.com/questions/391396/how-to-split-a-pem-file -- but A.B.'s answer is new AFAIR. – dave_thompson_085 Mar 22 '22 at 04:30
  • 1
    _Effectively_, yes. I would only consider [How to view all ssl certificates in a bundle?](https://serverfault.com/q/590870/536173) as an exact crossdupe. I obviously had different search terms in mind when googling for it and did not find it by myself. So maybe others will still benefit from this Q&A. – stackprotector Mar 22 '22 at 06:59

3 Answers3

26

The openssl command (specifically, its openssl x509 subcommand, among others) is polite with its data stream: once it reads data, it doesn't read more than it needs.

This allows to chain multiple openssl commands like this:

while openssl x509 -noout -text; do :; done < cert-bundle.pem

This will display all bundled certs in the file cert-bundle.pem (and end with an error: when there's no more input available, but that's just to show how it's working).

Tomasz Gandor
  • 128
  • 6
A.B
  • 31,762
  • 2
  • 62
  • 101
  • Can you explain, what exactly this loop does? Am I right, that this will only work as long `openssl` will _not_ read the input as a whole, but line by line until it is able to read one certificate, so that it reads one certificate at each iteration? – stackprotector Mar 22 '22 at 07:08
  • 1
    @stackprotector I'm stating `openssl` always read the minimal information. This property allows to chain multiple times `openssl` when receiving more than one cert. Other example: `openssl s_client -connect unix.stackexchange.com:443 -showcerts /dev/null; do : ; done` to display only cert names from unix.stackexchange.com (server's + 1 intermediate). This property can also be used with other use cases to build dynamic configuration for CSR: `openssl req ... -config <(some commands)` (using bash). But I don't know if it's explicitly documented. – A.B Mar 22 '22 at 13:22
  • I mean that openssl behaves well with input data, it doesn't attempt to seek (in the `lseek(2)` meaning) nor to consume data that won't be used. – A.B Mar 22 '22 at 13:25
  • This type of code is hard to read, hard to extend. Could it be changed so that there's no code executed inside of the while loop condition? (For example, so I could do something with the output other than print it to the console). – aphid Nov 02 '22 at 09:22
  • @aphid It's to showcase its use. I explained how it's behaving (not flushing the input) and gave an illustration. It's up to you to do something useful of it. Sorry you didn't find this answer useful. – A.B Nov 02 '22 at 12:49
  • Let me give an example. Say I want to see only the first 10 lines of the openssl output (for each cert). I can't pipe the output to 'head' or try to put it in a variable, that makes the code cause errors. It's given as-is, I don't understand how it works. Not the openssl part, the BASH part. Bash syntax is notoriously nasty. I've just spent the last 4 hours trying to do this simple thing, gave up and wrote a program instead. – aphid Nov 02 '22 at 13:26
  • @aphid I have a file in PEM file which has both public and private keys. I want just the public keys in X509 format. So I used A.B.'s idea and extended it a little, and perhaps it will help you understand. ```while openssl x509 -outform pem ; do :; done < all_ca_certs.pem >> all_ca_certs_2.crt``` The way this works is that the openssl command reads all of the input it needs from all_ca_certs.pem and then exits. Because the output is redirected (actually appended) to all_ca_certs_2.crt. Then the loop starts the next iteration. openssl reads as much as it needs and exits. – user1928764 Dec 30 '22 at 23:30
16

Seems like PEM format is not handled very well with more than one certificate. Based on this answer:

openssl crl2pkcs7 -nocrl -certfile cert.pem | openssl pkcs7 -print_certs -text -noout

it first convert to pkcs7 and then display it

Romeo Ninov
  • 16,541
  • 5
  • 32
  • 44
-2
openssl pkcs12 -in cert.p12 -cacerts -nodes -nokeys > rootcert.pem

also, you could try to use KeyStore Explorer

Dmytro Berezovskyi
  • 7
  • 2