问题描述
有没有办法以编程方式检查 SAN SSL 证书的主题备用名称?
Is there a way to programmatically check the Subject Alternative Names of a SAN SSL cert?
例如,使用以下命令我可以获得很多信息,但不是所有的 SAN:
Using, for instance, the following command I can get many info but not all the SANs:
openssl s_client -connect www.website.com:443
非常感谢!
推荐答案
要获取证书的主题备用名称 (SAN),请使用以下命令:
To get the Subject Alternative Names (SAN) for a certificate, use the following command:
openssl s_client -connect website.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:
首先,此命令连接到我们想要的站点(website.com,SSL 端口 443):
First, this command connects to the site we want (website.com, port 443 for SSL):
openssl s_client -connect website.com:443
然后通过管道 (|
) 将其导入此命令:
Then pipe (|
) that into this command:
openssl x509 -noout -text
这将获取证书文件并输出其所有详细信息.-noout
标志阻止它输出我们不需要的(base64 编码的)证书文件本身.-text
标志告诉它以文本形式输出证书详细信息.
This takes the certificate file and outputs all its juicy details. The -noout
flag keeps it from outputting the (base64-encoded) certificate file itself, which we don't need. The -text
flag tells it to output the certificate details in text form.
通常有很多我们不关心的输出(签名、发行者、扩展等),所以我们将那些传送到一个简单的 grep 中:
Normally there's a whole lot of output (signature, issuer, extensions, etc) that we don't care about, so then we pipe that into a simple grep:
grep DNS:
由于 SAN 条目以 DNS:
开头,因此仅返回包含该内容的行,去除所有其他信息并为我们留下所需的信息.
Since the SAN entries begin with DNS:
this simply returns only the lines that contain that, stripping out all the other info and leaving us with the desired information.
您可能会注意到该命令并没有完全退出;openssl s_client
实际上充当客户端并保持连接打开,等待输入.如果您希望它立即退出(例如,解析 shell 脚本中的输出),只需将 echo
用管道输送到其中:
You may note that the command does not cleanly exit; openssl s_client
actually acts as a client and leaves the connection open, waiting for input. If you want it to immediately exit (e.g. to parse the output in a shell script) simply pipe echo
into it:
echo | openssl s_client -connect website.com:443 | openssl x509 -noout -text | grep DNS:
如何直接从文件中获取 SAN?
为此,您不需要 openssl s_client
命令.只需在 openssl x509
命令上添加 -in MyCertificate.crt
并再次通过 grep,例如:
How do I get the SAN directly from a file?
For this, you don't need the openssl s_client
command. Just add -in MyCertificate.crt
on the openssl x509
command and once again pipe through grep, e.g.:
openssl x509 -noout -text -in MyCertificate.crt | grep DNS:
这篇关于如何检查 SSL/TLS 证书的主题备用名称?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!