OpenSSLのコマンドでサーバーに接続してサーバーのTLS/SLS証明書を確認した際の実行結果を残しておきます。
1. 環境
- OS : CentOS Linux release 8.5.2111
- OpenSSL:OpenSSL 1.1.1k FIPS 25 Mar 2021
実行結果
[root@centos85 ~]# cat /etc/redhat-release
CentOS Linux release 8.5.2111
[root@centos85 ~]# openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
[root@centos85 ~]#
2. サーバーに接続してサーバーの証明書を確認
以下のコマンドで証明書の内容を表示することができます。
openssl s_client -servername <サーバー名> -connect <FQDN>:<ポート番号> -showcerts
以下はQiitaに接続してサーバーの証明書を確認した場合の実行結果です。
実行結果
[root@centos85 ~]# openssl s_client -servername qiita.com -connect qiita.com:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M03
verify return:1
depth=0 CN = qiita.com
verify return:1
---
Certificate chain
0 s:CN = qiita.com
i:C = US, O = Amazon, CN = Amazon RSA 2048 M03
-----BEGIN CERTIFICATE-----
MIIFyjCCBLKgAwIBAgIQCo7P52Whdeaiv2PRExlsRjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAzMB4XDTIzMTEwNDAwMDAwMFoXDTI0MTIwMjIzNTk1OVowFDES
MBAGA1UEAxMJcWlpdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA8JVFH4sZ4xMHiwU1V0+Jxs59GzXy4X3Z5xYBUrZQ2ZrhlQosQd1ymcPiiKwg
4U8cWd2BPhiZbZxror3U+GUQBM5O40BtYAgOeekquzq2IlDp2PrVpuZ5s8tsLHHV
fiR/OnSx3itdJfGMR9mnhHIU3+2sg+JQH19M/+dYGfBo0FTZ75K5eOsDL5voMpaq
LASWyhtMkVW3YCevTkeuFb75jt4tIb0A9UibuuR5rSC5bMyTjXmJbAz9QdcALInr
V5p6BM7k/J7h2adhPkEgIN517+pGYR3m+1dOJ9Xr8TRkxR6sH9xNow2DzfjnhMfq
QdIyfmst8Qp1OTKAZyU7p0RG+QIDAQABo4IC7jCCAuowHwYDVR0jBBgwFoAUVdkY
X9IczAHhWLS+q9lVQgHXLgIwHQYDVR0OBBYEFFvW8Id3WRDaSoXYg0YFzIK9gYnZ
MCEGA1UdEQQaMBiCCXFpaXRhLmNvbYILKi5xaWl0YS5jb20wEwYDVR0gBAwwCjAI
BgZngQwBAgEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnIybTAzLmFtYXpv
bnRydXN0LmNvbS9yMm0wMy5jcmwwdQYIKwYBBQUHAQEEaTBnMC0GCCsGAQUFBzAB
hiFodHRwOi8vb2NzcC5yMm0wMy5hbWF6b250cnVzdC5jb20wNgYIKwYBBQUHMAKG
Kmh0dHA6Ly9jcnQucjJtMDMuYW1hem9udHJ1c3QuY29tL3IybTAzLmNlcjAMBgNV
HRMBAf8EAjAAMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdwDuzdBk1dsazsVc
t520zROiModGfLzs3sNRSFlGcR+1mwAAAYuXvz6NAAAEAwBIMEYCIQDnYMeBM8b8
BAH6AamwyHTYbhiLEh+sLNWxfx3BgQ2LbgIhAMVkf5WW2cL27oV/9dI7FyMkYRI1
1rn5F69ER+6w1lzOAHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMA
AAGLl78+YgAABAMARjBEAiAG/uajdrmwbfPdgyqcxVa190yd1/y6e7h3JFkvPh6Q
KgIgQYky0xsB+ONk50IWIbwBU5ouVQirPPiQkS2inAi6Nw8AdQDatr9rP7W2Ip+b
wrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYuXvz5WAAAEAwBGMEQCIG27h6mTLbAI
rYillfquap/JFk5ickO3a978lXiOHqjrAiAiySkK0raMoSJRmGZ1x+/MnLZ6U6Io
bYB76/Q6VEd/5jANBgkqhkiG9w0BAQsFAAOCAQEAYXrXPfM9WK/YsrxrTfFmMLIO
0diTPRt904SRPBScYS4HdM4RzZVVfzQDrYeewefW+gPLg5TMflOPH8PnH5bvfE7h
9ZIcM/1I6NwGByFPWoaFTZM79sdAcEIq1og1+MMTaNFPVbBxCEw3JGQ0KZlqov+q
Fx0O7sfHj3Ogr1Hqz1nlZLJP7GwYigtMQGPP8WPaQFlbLI2/cupN54J0blt5ta0K
vQ4l+13+YbGEiuscdkHZ7B1TplADYcSGrQuleCgUk8LRBWisQWV0lbvAqe1tp+ux
91TE9uch2ig/vz8ohqg4jOB6XSOHklaV09ZN/WLBJwviv80u2KAKfbGtvc4+Hw==
-----END CERTIFICATE-----
1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M03
i:C = US, O = Amazon, CN = Amazon Root CA 1
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwIBAgITB3MSTNQG0mfAmRzdKZqfODF5hTANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTIyMDgyMzIyMjYwNFoXDTMwMDgyMzIyMjYwNFowPDEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEcMBoGA1UEAxMTQW1hem9uIFJT
QSAyMDQ4IE0wMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALd/pVko
8vuM475Tf45HV3BbCl/B9Jy89G1CRkFjcPY06WA9lS+7dWbUA7GtWUKoksr69hKM
wcMsNpxlw7b3jeXFgxB09/nmalcAWtnLzF+LaDKEA5DQmvKzuh1nfIfqEiKCQSmX
Xh09Xs+dO7cm5qbaL2hhNJCSAejciwcvOFgFNgEMR42wm6KIFHsQW28jhA+1u/M0
p6fVwReuEgZfLfdx82Px0LJck3lST3EB/JfbdsdOzzzg5YkY1dfuqf8y5fUeZ7Cz
WXbTjujwX/TovmeWKA36VLCz75azW6tDNuDn66FOpADZZ9omVaF6BqNJiLMVl6P3
/c0OiUMC6Z5OfKcCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
VR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNV
HQ4EFgQUVdkYX9IczAHhWLS+q9lVQgHXLgIwHwYDVR0jBBgwFoAUhBjMhTTsvAyU
lC4IWZzHshBOCggwewYIKwYBBQUHAQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8v
b2NzcC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDov
L2NydC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8E
ODA2MDSgMqAwhi5odHRwOi8vY3JsLnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jv
b3RjYTEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IB
AQAGjeWm2cC+3z2MzSCnte46/7JZvj3iQZDY7EvODNdZF41n71Lrk9kbfNwerK0d
VNzW36Wefr7j7ZSwBVg50W5ay65jNSN74TTQV1yt4WnSbVvN6KlMs1hiyOZdoHKs
KDV2UGNxbdoBYCQNa2GYF8FQIWLugNp35aSOpMy6cFlymFQomIrnOQHwK1nvVY4q
xDSJMU/gNJz17D8ArPN3ngnyZ2TwepJ0uBINz3G5te2rdFUF4i4Y3Bb7FUlHDYm4
u8aIRGpk2ZpfXmxaoxnbIBZRvGLPSUuPwnwoUOMsJ8jirI5vs2dvchPb7MtI1rle
i02f2ivH2vxkjDLltSpe2fiC
-----END CERTIFICATE-----
2 s:C = US, O = Amazon, CN = Amazon Root CA 1
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgITBn+USionzfP6wq4rAfkI7rnExjANBgkqhkiG9w0BAQsF
ADCBmDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNj
b3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4x
OzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1
dGhvcml0eSAtIEcyMB4XDTE1MDUyNTEyMDAwMFoXDTM3MTIzMTAxMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaOCATEwggEtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
BAQDAgGGMB0GA1UdDgQWBBSEGMyFNOy8DJSULghZnMeyEE4KCDAfBgNVHSMEGDAW
gBScXwDfqgHXMCs4iKK4bUqc8hGRgzB4BggrBgEFBQcBAQRsMGowLgYIKwYBBQUH
MAGGImh0dHA6Ly9vY3NwLnJvb3RnMi5hbWF6b250cnVzdC5jb20wOAYIKwYBBQUH
MAKGLGh0dHA6Ly9jcnQucm9vdGcyLmFtYXpvbnRydXN0LmNvbS9yb290ZzIuY2Vy
MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwucm9vdGcyLmFtYXpvbnRydXN0
LmNvbS9yb290ZzIuY3JsMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsF
AAOCAQEAYjdCXLwQtT6LLOkMm2xF4gcAevnFWAu5CIw+7bMlPLVvUOTNNWqnkzSW
MiGpSESrnO09tKpzbeR/FoCJbM8oAxiDR3mjEH4wW6w7sGDgd9QIpuEdfF7Au/ma
eyKdpwAJfqxGF4PcnCZXmTA5YpaP7dreqsXMGz7KQ2hsVxa81Q4gLv7/wmpdLqBK
bRRYh5TmOTFffHPLkIhqhBGWJ6bt2YFGpn6jcgAKUj6DiAdjd4lpFw85hdKrCEVN
0FE6/V1dN2RMfjCyVSRCnTawXZwXgWHxyvkQAiSr6w10kY17RSlQOYiypok1JR4U
akcjMS9cmvqtmg5iUaQqqcT5NJ0hGA==
-----END CERTIFICATE-----
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEdTCCA12gAwIBAgIJAKcOSkw0grd/MA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
BAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIw
MAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eTAeFw0wOTA5MDIwMDAwMDBaFw0zNDA2MjgxNzM5MTZaMIGYMQswCQYDVQQGEwJV
UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UE
ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7MDkGA1UEAxMyU3RhcmZp
ZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVDDrEKvlO4vW+GZdfjohTsR8/
y8+fIBNtKTrID30892t2OGPZNmCom15cAICyL1l/9of5JUOG52kbUpqQ4XHj2C0N
Tm/2yEnZtvMaVq4rtnQU68/7JuMauh2WLmo7WJSJR1b/JaCTcFOD2oR0FMNnngRo
Ot+OQFodSk7PQ5E751bWAHDLUu57fa4657wx+UX2wmDPE1kCK4DMNEffud6QZW0C
zyyRpqbn3oUYSXxmTqM6bam17jQuug0DuDPfR+uxa40l2ZvOgdFFRjKWcIfeAg5J
Q4W2bHO7ZOphQazJ1FTfhy/HIrImzJ9ZVGif/L4qL8RVHHVAYBeFAlU5i38FAgMB
AAGjgfAwge0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0O
BBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMB8GA1UdIwQYMBaAFL9ft9HO3R+G9FtV
rNzXEMIOqYjnME8GCCsGAQUFBwEBBEMwQTAcBggrBgEFBQcwAYYQaHR0cDovL28u
c3MyLnVzLzAhBggrBgEFBQcwAoYVaHR0cDovL3guc3MyLnVzL3guY2VyMCYGA1Ud
HwQfMB0wG6AZoBeGFWh0dHA6Ly9zLnNzMi51cy9yLmNybDARBgNVHSAECjAIMAYG
BFUdIAAwDQYJKoZIhvcNAQELBQADggEBACMd44pXyn3pF3lM8R5V/cxTbj5HD9/G
VfKyBDbtgB9TxF00KGu+x1X8Z+rLP3+QsjPNG1gQggL4+C/1E2DUBc7xgQjB3ad1
l08YuW3e95ORCLp+QCztweq7dp4zBncdDQh/U90bZKuCJ/Fp1U1ervShw3WnWEQt
8jxwmKy6abaVd38PMV4s/KCHOkdp8Hlf9BRUpJVeEXgSYCfOn8J3/yNTd126/+pZ
59vPr5KW7ySaNRB6nJHGDn2Z9j8Z3/VyVOEVqQdZe4O/Ui5GjLIAZHYcSNPYeehu
VsyuLAOQ1xk4meTKCRlb/weWsKh/NEnfVqn3sF/tM+2MR7cwA130A4w=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = qiita.com
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M03
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5573 bytes and written 433 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 8EF4C1DC877A929FB2B48B29EA2210E5E86D6F548EFD175AC9B1809236454766
Session-ID-ctx:
Master-Key: 9761906F094EA5DFC2A48CE00BB634CB0C2DCF28B12B5BDA12B20F6B7A2E78D1CF9DF92FF6CD7A34A7A96F47EB9767C7
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - cb 35 58 01 0b d2 49 9c-22 15 48 c2 4d 1c e3 63 .5X...I.".H.M..c
0010 - ae 00 cc 3f ba e5 55 f1-99 fd 63 5e 4d fa 1d 3a ...?..U...c^M..:
0020 - d1 c0 95 7a 94 6f cf 25-e3 84 84 3d 54 f6 cc 9b ...z.o.%...=T...
0030 - c1 4a da 0d 94 71 be 16-11 5d dc 4b 0f 33 e4 50 .J...q...].K.3.P
0040 - d5 3d ec 6f 5c 47 3e 00-92 20 28 80 5d 23 e1 9a .=.o\G>.. (.]#..
0050 - 98 98 9d 97 a1 36 c9 ca-33 a5 d4 03 24 51 4b f0 .....6..3...$QK.
0060 - b7 4c cf f9 96 1b 1e eb-48 .L......H
Start Time: 1704667677
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1がルート証明書、
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M03が中間証明書、
depth=0 CN = qiita.comがサーバー証明書、
となります。
-----BEGIN CERTIFICATE-----
から
-----END CERTIFICATE-----
までが証明書の内容(PEM形式)となります。
3. サーバーに接続してサーバーの証明書を確認(テキスト形式)
以下のコマンドで証明書の内容をテキスト形式で表示することができます。
openssl s_client -servername <サーバー名> -connect <FQDN>:<ポート番号> | openssl x509 -text -noout
以下はQiitaに接続してサーバーの証明書をテキスト形式で確認した場合の実行結果です。
実行結果
[root@centos85 ~]# openssl s_client -servername qiita.com -connect qiita.com:443 | openssl x509 -text -noout
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M03
verify return:1
depth=0 CN = qiita.com
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:8e:cf:e7:65:a1:75:e6:a2:bf:63:d1:13:19:6c:46
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Amazon, CN = Amazon RSA 2048 M03
Validity
Not Before: Nov 4 00:00:00 2023 GMT
Not After : Dec 2 23:59:59 2024 GMT
Subject: CN = qiita.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:f0:95:45:1f:8b:19:e3:13:07:8b:05:35:57:4f:
89:c6:ce:7d:1b:35:f2:e1:7d:d9:e7:16:01:52:b6:
50:d9:9a:e1:95:0a:2c:41:dd:72:99:c3:e2:88:ac:
20:e1:4f:1c:59:dd:81:3e:18:99:6d:9c:6b:a2:bd:
d4:f8:65:10:04:ce:4e:e3:40:6d:60:08:0e:79:e9:
2a:bb:3a:b6:22:50:e9:d8:fa:d5:a6:e6:79:b3:cb:
6c:2c:71:d5:7e:24:7f:3a:74:b1:de:2b:5d:25:f1:
8c:47:d9:a7:84:72:14:df:ed:ac:83:e2:50:1f:5f:
4c:ff:e7:58:19:f0:68:d0:54:d9:ef:92:b9:78:eb:
03:2f:9b:e8:32:96:aa:2c:04:96:ca:1b:4c:91:55:
b7:60:27:af:4e:47:ae:15:be:f9:8e:de:2d:21:bd:
00:f5:48:9b:ba:e4:79:ad:20:b9:6c:cc:93:8d:79:
89:6c:0c:fd:41:d7:00:2c:89:eb:57:9a:7a:04:ce:
e4:fc:9e:e1:d9:a7:61:3e:41:20:20:de:75:ef:ea:
46:61:1d:e6:fb:57:4e:27:d5:eb:f1:34:64:c5:1e:
ac:1f:dc:4d:a3:0d:83:cd:f8:e7:84:c7:ea:41:d2:
32:7e:6b:2d:f1:0a:75:39:32:80:67:25:3b:a7:44:
46:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:55:D9:18:5F:D2:1C:CC:01:E1:58:B4:BE:AB:D9:55:42:01:D7:2E:02
X509v3 Subject Key Identifier:
5B:D6:F0:87:77:59:10:DA:4A:85:D8:83:46:05:CC:82:BD:81:89:D9
X509v3 Subject Alternative Name:
DNS:qiita.com, DNS:*.qiita.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.r2m03.amazontrust.com/r2m03.crl
Authority Information Access:
OCSP - URI:http://ocsp.r2m03.amazontrust.com
CA Issuers - URI:http://crt.r2m03.amazontrust.com/r2m03.cer
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
Timestamp : Nov 4 00:32:54.925 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:E7:60:C7:81:33:C6:FC:04:01:FA:01:
A9:B0:C8:74:D8:6E:18:8B:12:1F:AC:2C:D5:B1:7F:1D:
C1:81:0D:8B:6E:02:21:00:C5:64:7F:95:96:D9:C2:F6:
EE:85:7F:F5:D2:3B:17:23:24:61:12:35:D6:B9:F9:17:
AF:44:47:EE:B0:D6:5C:CE
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : Nov 4 00:32:54.882 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:06:FE:E6:A3:76:B9:B0:6D:F3:DD:83:2A:
9C:C5:56:B5:F7:4C:9D:D7:FC:BA:7B:B8:77:24:59:2F:
3E:1E:90:2A:02:20:41:89:32:D3:1B:01:F8:E3:64:E7:
42:16:21:BC:01:53:9A:2E:55:08:AB:3C:F8:90:91:2D:
A2:9C:08:BA:37:0F
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
Timestamp : Nov 4 00:32:54.870 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:6D:BB:87:A9:93:2D:B0:08:AD:88:A5:95:
FA:AE:6A:9F:C9:16:4E:62:72:43:B7:6B:DE:FC:95:78:
8E:1E:A8:EB:02:20:22:C9:29:0A:D2:B6:8C:A1:22:51:
98:66:75:C7:EF:CC:9C:B6:7A:53:A2:28:6D:80:7B:EB:
F4:3A:54:47:7F:E6
Signature Algorithm: sha256WithRSAEncryption
61:7a:d7:3d:f3:3d:58:af:d8:b2:bc:6b:4d:f1:66:30:b2:0e:
d1:d8:93:3d:1b:7d:d3:84:91:3c:14:9c:61:2e:07:74:ce:11:
cd:95:55:7f:34:03:ad:87:9e:c1:e7:d6:fa:03:cb:83:94:cc:
7e:53:8f:1f:c3:e7:1f:96:ef:7c:4e:e1:f5:92:1c:33:fd:48:
e8:dc:06:07:21:4f:5a:86:85:4d:93:3b:f6:c7:40:70:42:2a:
d6:88:35:f8:c3:13:68:d1:4f:55:b0:71:08:4c:37:24:64:34:
29:99:6a:a2:ff:aa:17:1d:0e:ee:c7:c7:8f:73:a0:af:51:ea:
cf:59:e5:64:b2:4f:ec:6c:18:8a:0b:4c:40:63:cf:f1:63:da:
40:59:5b:2c:8d:bf:72:ea:4d:e7:82:74:6e:5b:79:b5:ad:0a:
bd:0e:25:fb:5d:fe:61:b1:84:8a:eb:1c:76:41:d9:ec:1d:53:
a6:50:03:61:c4:86:ad:0b:a5:78:28:14:93:c2:d1:05:68:ac:
41:65:74:95:bb:c0:a9:ed:6d:a7:eb:b1:f7:54:c4:f6:e7:21:
da:28:3f:bf:3f:28:86:a8:38:8c:e0:7a:5d:23:87:92:56:95:
d3:d6:4d:fd:62:c1:27:0b:e2:bf:cd:2e:d8:a0:0a:7d:b1:ad:
bd:ce:3e:1f
この出力結果の項目とWindowsの「暗号化拡張シェル」で証明書を開いた項目と対比した表は以下となります。
| 出力結果の項目 | 暗号化拡張シェルの項目 |
|---|---|
| Version | (1) バージョン |
| Serial Numbe | (2) シリアル番号 |
| Signature Algorithm | (3) 署名アルゴリズム |
| Issuer | (4) 発行者 |
| Validity(Not Before) | (5) 有効期限の開始 |
| Validity(Not After) | (6) 有効期限の終了 |
| Subject | (7) サブジェクト |
| Public Key Algorithm | (8) 公開キー |
| Modulus | (8) 公開キー |
| Exponent | (8) 公開キー |
| X509v3 Authority Key Identifier | (9) 機関キー識別子 |
| X509v3 Subject Key Identifier | (10) サブジェクトキー識別子 |
| X509v3 Subject Alternative Name | (11) サブジェクト代替名 |
| X509v3 Certificate Policies | (12) 証明書ポリシー |
| X509v3 Key Usage | (13) キー使用法 |
| X509v3 Extended Key Usage | (14) 拡張キー使用法 |
| X509v3 CRL Distribution Points | (15) CRL配布ポイント |
| Authority Information Access | (16) 機関情報アクセス |
| X509v3 Basic Constraints | (17) 基本制限 |
| CT Precertificate SCTs | (18) SCT一覧 |
Windowsの「暗号化拡張シェル」で証明書を開くと以下の通りです。
-nooutを付与しないかった場合、PEM形式の証明書も一緒に表示されます。
openssl s_client -servername <サーバー名> -connect <FQDN>:<ポート番号> | openssl x509 -text
実行結果
[root@centos85 ~]# openssl s_client -servername qiita.com -connect qiita.com:443 | openssl x509 -text
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M03
verify return:1
depth=0 CN = qiita.com
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:8e:cf:e7:65:a1:75:e6:a2:bf:63:d1:13:19:6c:46
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Amazon, CN = Amazon RSA 2048 M03
Validity
Not Before: Nov 4 00:00:00 2023 GMT
Not After : Dec 2 23:59:59 2024 GMT
Subject: CN = qiita.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:f0:95:45:1f:8b:19:e3:13:07:8b:05:35:57:4f:
89:c6:ce:7d:1b:35:f2:e1:7d:d9:e7:16:01:52:b6:
50:d9:9a:e1:95:0a:2c:41:dd:72:99:c3:e2:88:ac:
20:e1:4f:1c:59:dd:81:3e:18:99:6d:9c:6b:a2:bd:
d4:f8:65:10:04:ce:4e:e3:40:6d:60:08:0e:79:e9:
2a:bb:3a:b6:22:50:e9:d8:fa:d5:a6:e6:79:b3:cb:
6c:2c:71:d5:7e:24:7f:3a:74:b1:de:2b:5d:25:f1:
8c:47:d9:a7:84:72:14:df:ed:ac:83:e2:50:1f:5f:
4c:ff:e7:58:19:f0:68:d0:54:d9:ef:92:b9:78:eb:
03:2f:9b:e8:32:96:aa:2c:04:96:ca:1b:4c:91:55:
b7:60:27:af:4e:47:ae:15:be:f9:8e:de:2d:21:bd:
00:f5:48:9b:ba:e4:79:ad:20:b9:6c:cc:93:8d:79:
89:6c:0c:fd:41:d7:00:2c:89:eb:57:9a:7a:04:ce:
e4:fc:9e:e1:d9:a7:61:3e:41:20:20:de:75:ef:ea:
46:61:1d:e6:fb:57:4e:27:d5:eb:f1:34:64:c5:1e:
ac:1f:dc:4d:a3:0d:83:cd:f8:e7:84:c7:ea:41:d2:
32:7e:6b:2d:f1:0a:75:39:32:80:67:25:3b:a7:44:
46:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:55:D9:18:5F:D2:1C:CC:01:E1:58:B4:BE:AB:D9:55:42:01:D7:2E:02
X509v3 Subject Key Identifier:
5B:D6:F0:87:77:59:10:DA:4A:85:D8:83:46:05:CC:82:BD:81:89:D9
X509v3 Subject Alternative Name:
DNS:qiita.com, DNS:*.qiita.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.r2m03.amazontrust.com/r2m03.crl
Authority Information Access:
OCSP - URI:http://ocsp.r2m03.amazontrust.com
CA Issuers - URI:http://crt.r2m03.amazontrust.com/r2m03.cer
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
Timestamp : Nov 4 00:32:54.925 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:E7:60:C7:81:33:C6:FC:04:01:FA:01:
A9:B0:C8:74:D8:6E:18:8B:12:1F:AC:2C:D5:B1:7F:1D:
C1:81:0D:8B:6E:02:21:00:C5:64:7F:95:96:D9:C2:F6:
EE:85:7F:F5:D2:3B:17:23:24:61:12:35:D6:B9:F9:17:
AF:44:47:EE:B0:D6:5C:CE
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : Nov 4 00:32:54.882 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:06:FE:E6:A3:76:B9:B0:6D:F3:DD:83:2A:
9C:C5:56:B5:F7:4C:9D:D7:FC:BA:7B:B8:77:24:59:2F:
3E:1E:90:2A:02:20:41:89:32:D3:1B:01:F8:E3:64:E7:
42:16:21:BC:01:53:9A:2E:55:08:AB:3C:F8:90:91:2D:
A2:9C:08:BA:37:0F
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
Timestamp : Nov 4 00:32:54.870 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:6D:BB:87:A9:93:2D:B0:08:AD:88:A5:95:
FA:AE:6A:9F:C9:16:4E:62:72:43:B7:6B:DE:FC:95:78:
8E:1E:A8:EB:02:20:22:C9:29:0A:D2:B6:8C:A1:22:51:
98:66:75:C7:EF:CC:9C:B6:7A:53:A2:28:6D:80:7B:EB:
F4:3A:54:47:7F:E6
Signature Algorithm: sha256WithRSAEncryption
61:7a:d7:3d:f3:3d:58:af:d8:b2:bc:6b:4d:f1:66:30:b2:0e:
d1:d8:93:3d:1b:7d:d3:84:91:3c:14:9c:61:2e:07:74:ce:11:
cd:95:55:7f:34:03:ad:87:9e:c1:e7:d6:fa:03:cb:83:94:cc:
7e:53:8f:1f:c3:e7:1f:96:ef:7c:4e:e1:f5:92:1c:33:fd:48:
e8:dc:06:07:21:4f:5a:86:85:4d:93:3b:f6:c7:40:70:42:2a:
d6:88:35:f8:c3:13:68:d1:4f:55:b0:71:08:4c:37:24:64:34:
29:99:6a:a2:ff:aa:17:1d:0e:ee:c7:c7:8f:73:a0:af:51:ea:
cf:59:e5:64:b2:4f:ec:6c:18:8a:0b:4c:40:63:cf:f1:63:da:
40:59:5b:2c:8d:bf:72:ea:4d:e7:82:74:6e:5b:79:b5:ad:0a:
bd:0e:25:fb:5d:fe:61:b1:84:8a:eb:1c:76:41:d9:ec:1d:53:
a6:50:03:61:c4:86:ad:0b:a5:78:28:14:93:c2:d1:05:68:ac:
41:65:74:95:bb:c0:a9:ed:6d:a7:eb:b1:f7:54:c4:f6:e7:21:
da:28:3f:bf:3f:28:86:a8:38:8c:e0:7a:5d:23:87:92:56:95:
d3:d6:4d:fd:62:c1:27:0b:e2:bf:cd:2e:d8:a0:0a:7d:b1:ad:
bd:ce:3e:1f
-----BEGIN CERTIFICATE-----
MIIFyjCCBLKgAwIBAgIQCo7P52Whdeaiv2PRExlsRjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAzMB4XDTIzMTEwNDAwMDAwMFoXDTI0MTIwMjIzNTk1OVowFDES
MBAGA1UEAxMJcWlpdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA8JVFH4sZ4xMHiwU1V0+Jxs59GzXy4X3Z5xYBUrZQ2ZrhlQosQd1ymcPiiKwg
4U8cWd2BPhiZbZxror3U+GUQBM5O40BtYAgOeekquzq2IlDp2PrVpuZ5s8tsLHHV
fiR/OnSx3itdJfGMR9mnhHIU3+2sg+JQH19M/+dYGfBo0FTZ75K5eOsDL5voMpaq
LASWyhtMkVW3YCevTkeuFb75jt4tIb0A9UibuuR5rSC5bMyTjXmJbAz9QdcALInr
V5p6BM7k/J7h2adhPkEgIN517+pGYR3m+1dOJ9Xr8TRkxR6sH9xNow2DzfjnhMfq
QdIyfmst8Qp1OTKAZyU7p0RG+QIDAQABo4IC7jCCAuowHwYDVR0jBBgwFoAUVdkY
X9IczAHhWLS+q9lVQgHXLgIwHQYDVR0OBBYEFFvW8Id3WRDaSoXYg0YFzIK9gYnZ
MCEGA1UdEQQaMBiCCXFpaXRhLmNvbYILKi5xaWl0YS5jb20wEwYDVR0gBAwwCjAI
BgZngQwBAgEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnIybTAzLmFtYXpv
bnRydXN0LmNvbS9yMm0wMy5jcmwwdQYIKwYBBQUHAQEEaTBnMC0GCCsGAQUFBzAB
hiFodHRwOi8vb2NzcC5yMm0wMy5hbWF6b250cnVzdC5jb20wNgYIKwYBBQUHMAKG
Kmh0dHA6Ly9jcnQucjJtMDMuYW1hem9udHJ1c3QuY29tL3IybTAzLmNlcjAMBgNV
HRMBAf8EAjAAMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdwDuzdBk1dsazsVc
t520zROiModGfLzs3sNRSFlGcR+1mwAAAYuXvz6NAAAEAwBIMEYCIQDnYMeBM8b8
BAH6AamwyHTYbhiLEh+sLNWxfx3BgQ2LbgIhAMVkf5WW2cL27oV/9dI7FyMkYRI1
1rn5F69ER+6w1lzOAHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMA
AAGLl78+YgAABAMARjBEAiAG/uajdrmwbfPdgyqcxVa190yd1/y6e7h3JFkvPh6Q
KgIgQYky0xsB+ONk50IWIbwBU5ouVQirPPiQkS2inAi6Nw8AdQDatr9rP7W2Ip+b
wrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYuXvz5WAAAEAwBGMEQCIG27h6mTLbAI
rYillfquap/JFk5ickO3a978lXiOHqjrAiAiySkK0raMoSJRmGZ1x+/MnLZ6U6Io
bYB76/Q6VEd/5jANBgkqhkiG9w0BAQsFAAOCAQEAYXrXPfM9WK/YsrxrTfFmMLIO
0diTPRt904SRPBScYS4HdM4RzZVVfzQDrYeewefW+gPLg5TMflOPH8PnH5bvfE7h
9ZIcM/1I6NwGByFPWoaFTZM79sdAcEIq1og1+MMTaNFPVbBxCEw3JGQ0KZlqov+q
Fx0O7sfHj3Ogr1Hqz1nlZLJP7GwYigtMQGPP8WPaQFlbLI2/cupN54J0blt5ta0K
vQ4l+13+YbGEiuscdkHZ7B1TplADYcSGrQuleCgUk8LRBWisQWV0lbvAqe1tp+ux
91TE9uch2ig/vz8ohqg4jOB6XSOHklaV09ZN/WLBJwviv80u2KAKfbGtvc4+Hw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
から
-----END CERTIFICATE-----
までが証明書の内容(PEM形式)となります。
4. 証明書ファイルをテキスト形式で表示
証明書ファイルをテキスト形式で表示するには、以下のコマンドで表示することができます。
openssl x509 -text -noout -in <証明書ファイルパス>
実行結果
[root@centos85 ~]# openssl x509 -text -noout -in ./qiita.com.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:8e:cf:e7:65:a1:75:e6:a2:bf:63:d1:13:19:6c:46
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Amazon, CN = Amazon RSA 2048 M03
Validity
Not Before: Nov 4 00:00:00 2023 GMT
Not After : Dec 2 23:59:59 2024 GMT
Subject: CN = qiita.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:f0:95:45:1f:8b:19:e3:13:07:8b:05:35:57:4f:
89:c6:ce:7d:1b:35:f2:e1:7d:d9:e7:16:01:52:b6:
50:d9:9a:e1:95:0a:2c:41:dd:72:99:c3:e2:88:ac:
20:e1:4f:1c:59:dd:81:3e:18:99:6d:9c:6b:a2:bd:
d4:f8:65:10:04:ce:4e:e3:40:6d:60:08:0e:79:e9:
2a:bb:3a:b6:22:50:e9:d8:fa:d5:a6:e6:79:b3:cb:
6c:2c:71:d5:7e:24:7f:3a:74:b1:de:2b:5d:25:f1:
8c:47:d9:a7:84:72:14:df:ed:ac:83:e2:50:1f:5f:
4c:ff:e7:58:19:f0:68:d0:54:d9:ef:92:b9:78:eb:
03:2f:9b:e8:32:96:aa:2c:04:96:ca:1b:4c:91:55:
b7:60:27:af:4e:47:ae:15:be:f9:8e:de:2d:21:bd:
00:f5:48:9b:ba:e4:79:ad:20:b9:6c:cc:93:8d:79:
89:6c:0c:fd:41:d7:00:2c:89:eb:57:9a:7a:04:ce:
e4:fc:9e:e1:d9:a7:61:3e:41:20:20:de:75:ef:ea:
46:61:1d:e6:fb:57:4e:27:d5:eb:f1:34:64:c5:1e:
ac:1f:dc:4d:a3:0d:83:cd:f8:e7:84:c7:ea:41:d2:
32:7e:6b:2d:f1:0a:75:39:32:80:67:25:3b:a7:44:
46:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:55:D9:18:5F:D2:1C:CC:01:E1:58:B4:BE:AB:D9:55:42:01:D7:2E:02
X509v3 Subject Key Identifier:
5B:D6:F0:87:77:59:10:DA:4A:85:D8:83:46:05:CC:82:BD:81:89:D9
X509v3 Subject Alternative Name:
DNS:qiita.com, DNS:*.qiita.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.r2m03.amazontrust.com/r2m03.crl
Authority Information Access:
OCSP - URI:http://ocsp.r2m03.amazontrust.com
CA Issuers - URI:http://crt.r2m03.amazontrust.com/r2m03.cer
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
Timestamp : Nov 4 00:32:54.925 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:E7:60:C7:81:33:C6:FC:04:01:FA:01:
A9:B0:C8:74:D8:6E:18:8B:12:1F:AC:2C:D5:B1:7F:1D:
C1:81:0D:8B:6E:02:21:00:C5:64:7F:95:96:D9:C2:F6:
EE:85:7F:F5:D2:3B:17:23:24:61:12:35:D6:B9:F9:17:
AF:44:47:EE:B0:D6:5C:CE
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : Nov 4 00:32:54.882 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:06:FE:E6:A3:76:B9:B0:6D:F3:DD:83:2A:
9C:C5:56:B5:F7:4C:9D:D7:FC:BA:7B:B8:77:24:59:2F:
3E:1E:90:2A:02:20:41:89:32:D3:1B:01:F8:E3:64:E7:
42:16:21:BC:01:53:9A:2E:55:08:AB:3C:F8:90:91:2D:
A2:9C:08:BA:37:0F
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
Timestamp : Nov 4 00:32:54.870 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:6D:BB:87:A9:93:2D:B0:08:AD:88:A5:95:
FA:AE:6A:9F:C9:16:4E:62:72:43:B7:6B:DE:FC:95:78:
8E:1E:A8:EB:02:20:22:C9:29:0A:D2:B6:8C:A1:22:51:
98:66:75:C7:EF:CC:9C:B6:7A:53:A2:28:6D:80:7B:EB:
F4:3A:54:47:7F:E6
Signature Algorithm: sha256WithRSAEncryption
61:7a:d7:3d:f3:3d:58:af:d8:b2:bc:6b:4d:f1:66:30:b2:0e:
d1:d8:93:3d:1b:7d:d3:84:91:3c:14:9c:61:2e:07:74:ce:11:
cd:95:55:7f:34:03:ad:87:9e:c1:e7:d6:fa:03:cb:83:94:cc:
7e:53:8f:1f:c3:e7:1f:96:ef:7c:4e:e1:f5:92:1c:33:fd:48:
e8:dc:06:07:21:4f:5a:86:85:4d:93:3b:f6:c7:40:70:42:2a:
d6:88:35:f8:c3:13:68:d1:4f:55:b0:71:08:4c:37:24:64:34:
29:99:6a:a2:ff:aa:17:1d:0e:ee:c7:c7:8f:73:a0:af:51:ea:
cf:59:e5:64:b2:4f:ec:6c:18:8a:0b:4c:40:63:cf:f1:63:da:
40:59:5b:2c:8d:bf:72:ea:4d:e7:82:74:6e:5b:79:b5:ad:0a:
bd:0e:25:fb:5d:fe:61:b1:84:8a:eb:1c:76:41:d9:ec:1d:53:
a6:50:03:61:c4:86:ad:0b:a5:78:28:14:93:c2:d1:05:68:ac:
41:65:74:95:bb:c0:a9:ed:6d:a7:eb:b1:f7:54:c4:f6:e7:21:
da:28:3f:bf:3f:28:86:a8:38:8c:e0:7a:5d:23:87:92:56:95:
d3:d6:4d:fd:62:c1:27:0b:e2:bf:cd:2e:d8:a0:0a:7d:b1:ad:
bd:ce:3e:1f
[root@centos85 ~]#
なお、証明書ファイルではなく、秘密鍵ファイルやCSRファイルをテキスト形式で表示する場合は以下のコマンドとなります。
【秘密鍵ファイル】
openssl rsa -text -noout -in <秘密鍵ファイルパス>
【CSRファイル】
openssl req -text -noout -in <CSRファイルパス>
5. その他の表示
openssl x509コマンドで証明書の特定の内容を表示されることもできます。
以下にいくつか例をあげます。
- subjetの表示
openssl x509 -subject -noout -in <証明書ファイルパス>
実行結果
[root@centos85 ~]# openssl x509 -subject -noout -in ./qiita.com.crt
subject=CN = qiita.com
[root@centos85 ~]#
- 目的の表示
openssl x509 -purpose -noout -in <証明書ファイルパス>
実行結果
[root@centos85 ~]# openssl x509 -purpose -noout -in ./qiita.com.crt
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
[root@centos85 ~]#
- 有効期限の表示
openssl x509 -dates -noout -in <証明書ファイルパス>
実行結果
[root@centos85 ~]# openssl x509 -dates -noout -in ./qiita.com.crt
notBefore=Nov 4 00:00:00 2023 GMT
notAfter=Dec 2 23:59:59 2024 GMT
[root@centos85 ~]#
他にもいろいろなオプションがあります。
以下のコマンドでopenssl x509コマンドのヘルプを見ることができます。
openssl x509 -help
実行結果
[root@centos85 ~]# openssl x509 -help
Usage: x509 [options]
Valid options are:
-help Display this summary
-inform format Input format - default PEM (one of DER or PEM)
-in infile Input file - default stdin
-outform format Output format - default PEM (one of DER or PEM)
-out outfile Output file - default stdout
-keyform PEM|DER|ENGINE Private key format - default PEM
-passin val Private key password/pass-phrase source
-serial Print serial number value
-subject_hash Print subject hash value
-issuer_hash Print issuer hash value
-hash Synonym for -subject_hash
-subject Print subject DN
-issuer Print issuer DN
-email Print email address(es)
-startdate Set notBefore field
-enddate Set notAfter field
-purpose Print out certificate purposes
-dates Both Before and After dates
-modulus Print the RSA key modulus
-pubkey Output the public key
-fingerprint Print the certificate fingerprint
-alias Output certificate alias
-noout No output, just status
-nocert No certificate output
-ocspid Print OCSP hash values for the subject name and public key
-ocsp_uri Print OCSP Responder URL(s)
-trustout Output a trusted certificate
-clrtrust Clear all trusted purposes
-clrext Clear all certificate extensions
-addtrust val Trust certificate for a given purpose
-addreject val Reject certificate for a given purpose
-setalias val Set certificate alias
-days int How long till expiry of a signed certificate - def 30 days
-checkend intmax Check whether the cert expires in the next arg seconds
Exit 1 if so, 0 if not
-signkey val Self sign cert with arg
-x509toreq Output a certification request object
-req Input is a certificate request, sign and output
-CA infile Set the CA certificate, must be PEM format
-CAkey val The CA key, must be PEM format; if not in CAfile
-CAcreateserial Create serial number file if it does not exist
-CAserial val Serial file
-set_serial val Serial number to use
-text Print the certificate in text form
-ext val Print various X509V3 extensions
-C Print out C code forms
-extfile infile File with X509V3 extensions to add
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file
-extensions val Section from config file to use
-nameopt val Various certificate name options
-certopt val Various certificate text options
-checkhost val Check certificate matches host
-checkemail val Check certificate matches email
-checkip val Check certificate matches ipaddr
-CAform PEM|DER CA format - default PEM
-CAkeyform PEM|DER|ENGINE CA key format - default PEM
-sigopt val Signature parameter in n:v form
-force_pubkey infile Force the Key to put inside certificate
-next_serial Increment current certificate serial number
-clrreject Clears all the prohibited or rejected uses of the certificate
-badsig Corrupt last byte of certificate signature (for test)
-* Any supported digest
-subject_hash_old Print old-style (MD5) subject hash value
-issuer_hash_old Print old-style (MD5) issuer hash value
-engine val Use engine, possibly a hardware device
-preserve_dates preserve existing dates when signing
[root@centos85 ~]#
参考
- やさしいopensslコマンドによるSSL証明書の確認方法 | Oji-Cloud
- opensslコマンドで証明書情報を確認したい | GMOグローバルサイン サポート
- OpenSSL/x509 - NORK's "HOW TO..." Wiki, It's Know How Wiki!
- x509 Certificate Fields | Elastic Common Schema (ECS) Reference [master] | Elastic
- What Is an X.509 Certificate? - SSL.com
- RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
- WebサーバーなどのSSL証明書 検証方法 – インフォサーカス・インコーポレイテッド – Info Circus, Inc.
- メモ - openssl x509コマンド - /OpenSSL/はじめに
- /docs/man1.1.1/man1/x509.html - OpenSSL
以上