我发现最接近的答案是使用"grep".
> openssl x509 -text -noout -in cert.pem | grep DNS
有没有更好的方法来做到这一点?我只喜欢命令行.
谢谢.
较新版本的openssl具有“ -ext”选项,该选项仅允许您打印subjectAltName记录。我在Debian 9.9上使用'OpenSSL 1.1.1b'
openssl x509 -noout -ext subjectAltName -in cert.pem
虽然您仍然需要解析输出。
更改是在https://github.com/openssl/openssl/issues/3932中进行的
请注意,您可以-text
通过添加以下选项将输出限制为仅扩展名:
-certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux
即:
openssl x509 -text -noout -in cert.pem \ -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux
但是,您仍然需要应用一些文本解析逻辑才能获得Subject Alternative Name
.
如果这还不够,我认为您需要编写一个使用openssl库来提取您正在寻找的特定字段的小程序.以下是一些示例程序,演示如何解析证书,包括提取扩展字段,如Subject Alternative Name
:
https://zakird.com/2013/10/13/certificate-parsing-with-openssl
请注意,如果您继续编程路线,则不必使用openssl和C ...您可以选择自己喜欢的语言和ASN.1
解析器库,然后使用它.例如,在Java中,您可以使用http://jac-asn1.sourceforge.net/和许多其他人.
取自/sf/ask/17360801/
$ true | openssl s_client -connect example.com:443 | openssl x509 -noout -text | grep DNS:
$ true | openssl s_client -connect localhost:8443 | openssl x509 -noout -text | grep DNS: depth=2 C = US, ST = NC, L = SomeCity, O = SomeCompany Security, OU = SomeOU, CN = SomeCN verify error:num=19:self signed certificate in certificate chain DONE DNS:localhost, DNS:127.0.0.1, DNS:servername1.somedom.com, DNS:servername2.somedom.local
使用grep的非常简单的解决方案
openssl x509 -in /path/to/x509/cert -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV
对于Google证书,其输出为:
android.clients.google.com android.com developer.android.google.cn g.co goo.gl google.com googlecommerce.com google-analytics.com hin.com urchin.com www.goo.gl youtu.be youtube.com youtubeeducation.com *.android.com *.appengine.google.com *.cloud.google.com *.gcp.gvt2.com *.googleadapis.com *.googleapis.cn *.googlecommerce.com *.googlevideo.com *.google.ca *.google.cl *.google.com *.google.com.ar *.google.com.au *.google.com.br *.google.com.co *.google.com.mx *.google.com.tr *.google.com.vn *.google.co.in *.google.co.jp *.google.co.uk *.google.de *.google.es *.google.fr *.google.hu *.google.it *.google.nl *.google.pl *.google.pt *.gstatic.cn *.gstatic.com *.gvt1.com *.gvt2.com *.metric.gstatic.com *.urchin.com *.url.google.com *.youtubeeducation.com *.youtube.com *.ytimg.com *.google-analytics.com *.youtube-nocookie.com
sed -ne ' s/^\( *\)Subject:/\1/p; /X509v3 Subject Alternative Name/{ N; s/^.*\n//; :a; s/^\( *\)\(.*\), /\1\2\n\1/; ta; p; q; }' < <(openssl x509 -in cert.pem -noout -text)
可写:
sed -ne 's/^\( *\)Subject:/\1/p;/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\1\2\n\1/;ta;p;q; }' < <( openssl x509 -in cert.pem -noout -text )
并可以渲染类似于:
CN=www.example.com DNS:il0001.sample.com DNS:example.com DNS:demodomain.com DNS:testsite.com DNS:www.il0001.sample.com DNS:www.il0001.sample.com.vsite.il0001.sample.com DNS:www.example.com DNS:www.example.com.vsite.il0001.sample.com DNS:www.demodomain.com DNS:www.demodomain.com.vsite.il0001.sample.com DNS:www.testsite.com DNS:www.testsite.com.vsite.il0001.sample.com
sed -ne 's/^\( *\)Subject:/\1/p;/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\1\2\n\1/;ta;p;q; }' < <( openssl x509 -noout -text -in <( openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' \ -connect google.com:443 ) )
可能输出:
C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com DNS:*.google.com DNS:*.android.com DNS:*.appengine.google.com DNS:*.cloud.google.com DNS:*.gcp.gvt2.com DNS:*.google-analytics.com DNS:*.google.ca DNS:*.google.cl DNS:*.google.co.in DNS:*.google.co.jp DNS:*.google.co.uk DNS:*.google.com.ar DNS:*.google.com.au DNS:*.google.com.br DNS:*.google.com.co DNS:*.google.com.mx DNS:*.google.com.tr DNS:*.google.com.vn DNS:*.google.de DNS:*.google.es DNS:*.google.fr DNS:*.google.hu DNS:*.google.it DNS:*.google.nl DNS:*.google.pl DNS:*.google.pt DNS:*.googleadapis.com DNS:*.googleapis.cn DNS:*.googlecommerce.com DNS:*.googlevideo.com DNS:*.gstatic.cn DNS:*.gstatic.com DNS:*.gvt1.com DNS:*.gvt2.com DNS:*.metric.gstatic.com DNS:*.urchin.com DNS:*.url.google.com DNS:*.youtube-nocookie.com DNS:*.youtube.com DNS:*.youtubeeducation.com DNS:*.ytimg.com DNS:android.clients.google.com DNS:android.com DNS:developer.android.google.cn DNS:g.co DNS:goo.gl DNS:google-analytics.com DNS:google.com DNS:googlecommerce.com DNS:urchin.com DNS:www.goo.gl DNS:youtu.be DNS:youtube.com DNS:youtubeeducation.com
作为< <(...)
一种基础,必须编写相同的命令:
openssl x509 -in cert.pem -noout -text | sed -ne ' s/^\( *\)Subject:/\1/p; /X509v3 Subject Alternative Name/{ N; s/^.*\n//; :a; s/^\( *\)\(.*\), /\1\2\n\1/; ta; p; q; }'
和
printf 'HEAD / HTTP/1.0\r\n\r\n' | openssl s_client -ign_eof 2>/dev/null -connect google.com:443 | openssl x509 -noout -text | sed -ne 's/^\( *\)Subject:/\1/p;/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\1\2\n\1/;ta;p;q; }'