Decode PEM Encoded SSL Certificate

Objective: Decode a PAM encoded SSL certificate and verify that it contains the correct information.

A PEM encoded certificate is a block of encoded text that contains all of the certificate information and public key. A PEM file will contain ASCII data in BASE64 format that should start with “—–BEGIN CERTIFICATE—– ” and end with “—–END CERTIFICATE—– “. To decode the file, we will need to use the openssl utility.

So, if the cert name is cert.pem, we will need to run openssl like this.

$ openssl x509 -in cert.pem -text -noout             
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:71:67:fc:04:8e:58:2d:8d:66:d5:7e:11:06:61:58:ca:20
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1
        Validity
            Not Before: Jan  2 07:22:00 2016 GMT
            Not After : Apr  1 07:22:00 2016 GMT
        Subject: CN=digitalinternals.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a3:07:48:c0:f5:6c:3d:d4:d8:8a:54:e1:3e:5d:
                    4b:86:9c:02:2c:db:01:75:11:04:3b:e5:6a:24:31:
                    24:0d:e1:30:3c:7f:c0:1b:66:59:49:91:1c:44:69:
                    e7:52:f5:96:97:bb:20:73:10:5f:46:16:f3:6e:c6:
                    a9:f9:fd:0e:ae:56:1d:77:5e:90:92:f0:c6:ae:26:
                    60:2a:c6:55:5d:47:ae:37:3e:08:0e:eb:7b:2d:9a:
                    e4:ae:9d:9e:1b:97:95:d2:46:28:17:d8:6d:54:b5:
                    21:3a:34:a4:d3:c2:ed:e2:0b:a7:e6:34:70:eb:78:
                    4a:31:1b:07:98:82:1a:d7:5b:3b:2a:39:b8:e8:3c:
                    16:0c:05:1a:cb:fb:89:7f:3d:c5:a6:1b:f5:53:a3:
                    a4:4a:bc:07:1a:ef:91:16:e5:8e:eb:73:d3:28:ae:
                    66:29:82:6a:c6:72:f3:52:b8:1d:56:01:36:b7:3b:
                    fb:15:8a:06:38:3f:ba:1a:01:67:61:36:d8:3f:53:
                    a3:fd:06:5c:75:a5:0e:d0:64:92:94:3d:a1:19:e6:
                    b8:20:2c:60:25:c5:12:cb:8f:c7:26:10:a4:92:38:
                    f5:df:84:5d:bd:a2:20:de:82:60:d6:aa:3f:99:bc:
                    80:26:50:69:d8:6f:b8:82:69:6d:22:07:f9:1c:6f:
                    97:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                E7:69:9D:E3:E1:EB:ED:60:49:DD:88:FE:9D:64:D2:58:46:1A:C3:BD
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x1.letsencrypt.org/
                CA Issuers - URI:http://cert.int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:stackpointer.io, DNS:digitalinternals.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

    Signature Algorithm: sha256WithRSAEncryption
         7e:f3:3e:88:c1:93:8a:90:9b:29:37:f9:a3:79:9e:41:29:2e:
         e2:d8:4f:cd:4b:ad:8f:a2:7e:1b:36:41:c5:b3:76:1b:e3:46:
         72:33:30:1c:ff:cf:fb:df:01:1a:47:97:a6:65:e6:38:cb:c6:
         e2:e9:3d:a1:f1:bc:58:28:d6:b5:4f:47:f1:96:5d:c9:0e:ec:
         8f:c9:0c:71:62:3e:ea:fc:6b:23:fd:b5:50:b5:cf:af:3b:53:
         f2:8f:40:fe:0b:7e:ff:e5:fe:80:1f:87:d2:b1:e1:a6:5c:fa:
         08:9a:09:12:73:2b:f5:20:eb:f5:fc:88:60:ca:ef:df:c5:ed:
         f5:d1:58:77:2b:fc:e4:6c:a0:59:62:02:60:6f:1e:a1:36:35:
         0b:56:4d:02:75:b6:46:b2:e1:b5:2e:e1:bd:25:0c:08:24:98:
         be:82:45:1e:64:d0:c0:52:33:d0:2e:9d:df:6b:40:94:52:db:
         cb:1d:c3:e9:95:46:b7:9a:a5:f5:1c:09:d2:18:82:6c:e9:cf:
         69:a9:8f:39:02:9c:7c:af:6f:d8:0e:c3:11:5b:7c:c2:9f:31:
         e0:ba:d8:4a:cc:a3:97:50:34:c8:68:16:77:12:18:a3:d1:94:
         48:de:de:5a:dd:a9:da:ee:78:b6:63:74:ad:9c:e6:ea:f3:8c:
         15:c8:d9:2e

$ openssl x509 -in cert.pem -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

01:71:67:fc:04:8e:58:2d:8d:66:d5:7e:11:06:61:58:ca:20

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1

Validity

Not Before: Jan 2 07:22:00 2016 GMT

Not After : Apr 1 07:22:00 2016 GMT

Subject: CN=digitalinternals.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:a3:07:48:c0:f5:6c:3d:d4:d8:8a:54:e1:3e:5d:

4b:86:9c:02:2c:db:01:75:11:04:3b:e5:6a:24:31:

24:0d:e1:30:3c:7f:c0:1b:66:59:49:91:1c:44:69:

e7:52:f5:96:97:bb:20:73:10:5f:46:16:f3:6e:c6:

a9:f9:fd:0e:ae:56:1d:77:5e:90:92:f0:c6:ae:26:

60:2a:c6:55:5d:47:ae:37:3e:08:0e:eb:7b:2d:9a:

e4:ae:9d:9e:1b:97:95:d2:46:28:17:d8:6d:54:b5:

21:3a:34:a4:d3:c2:ed:e2:0b:a7:e6:34:70:eb:78:

4a:31:1b:07:98:82:1a:d7:5b:3b:2a:39:b8:e8:3c:

16:0c:05:1a:cb:fb:89:7f:3d:c5:a6:1b:f5:53:a3:

a4:4a:bc:07:1a:ef:91:16:e5:8e:eb:73:d3:28:ae:

66:29:82:6a:c6:72:f3:52:b8:1d:56:01:36:b7:3b:

fb:15:8a:06:38:3f:ba:1a:01:67:61:36:d8:3f:53:

a3:fd:06:5c:75:a5:0e:d0:64:92:94:3d:a1:19:e6:

b8:20:2c:60:25:c5:12:cb:8f:c7:26:10:a4:92:38:

f5:df:84:5d:bd:a2:20:de:82:60:d6:aa:3f:99:bc:

80:26:50:69:d8:6f:b8:82:69:6d:22:07:f9:1c:6f:

97:a5

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication, TLS Web Client Authentication

X509v3 Basic Constraints: critical

CA:FALSE

X509v3 Subject Key Identifier:

E7:69:9D:E3:E1:EB:ED:60:49:DD:88:FE:9D:64:D2:58:46:1A:C3:BD

X509v3 Authority Key Identifier:

keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

Authority Information Access:

OCSP - URI:http://ocsp.int-x1.letsencrypt.org/

CA Issuers - URI:http://cert.int-x1.letsencrypt.org/

X509v3 Subject Alternative Name:

DNS:stackpointer.io, DNS:digitalinternals.com

X509v3 Certificate Policies:

Policy: 2.23.140.1.2.1

Policy: 1.3.6.1.4.1.44947.1.1.1

CPS: http://cps.letsencrypt.org

User Notice:

Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

Signature Algorithm: sha256WithRSAEncryption

7e:f3:3e:88:c1:93:8a:90:9b:29:37:f9:a3:79:9e:41:29:2e:

e2:d8:4f:cd:4b:ad:8f:a2:7e:1b:36:41:c5:b3:76:1b:e3:46:

72:33:30:1c:ff:cf:fb:df:01:1a:47:97:a6:65:e6:38:cb:c6:

e2:e9:3d:a1:f1:bc:58:28:d6:b5:4f:47:f1:96:5d:c9:0e:ec:

8f:c9:0c:71:62:3e:ea:fc:6b:23:fd:b5:50:b5:cf:af:3b:53:

f2:8f:40:fe:0b:7e:ff:e5:fe:80:1f:87:d2:b1:e1:a6:5c:fa:

08:9a:09:12:73:2b:f5:20:eb:f5:fc:88:60:ca:ef:df:c5:ed:

f5:d1:58:77:2b:fc:e4:6c:a0:59:62:02:60:6f:1e:a1:36:35:

0b:56:4d:02:75:b6:46:b2:e1:b5:2e:e1:bd:25:0c:08:24:98:

be:82:45:1e:64:d0:c0:52:33:d0:2e:9d:df:6b:40:94:52:db:

cb:1d:c3:e9:95:46:b7:9a:a5:f5:1c:09:d2:18:82:6c:e9:cf:

69:a9:8f:39:02:9c:7c:af:6f:d8:0e:c3:11:5b:7c:c2:9f:31:

e0:ba:d8:4a:cc:a3:97:50:34:c8:68:16:77:12:18:a3:d1:94:

48:de:de:5a:dd:a9:da:ee:78:b6:63:74:ad:9c:e6:ea:f3:8c:

15:c8:d9:2e

Once decoded, you can view all the certificate information like the signature algorithm, validity dates, key length, domain names, etc.

If the SSL certificate is corrupted, then you may get an error similar to the one below.

$ openssl x509 -in cert.pem -text -noout
unable to load certificate
139837245023904:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:818:

$ openssl x509 -in cert.pem -text -noout

unable to load certificate

139837245023904:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:818:

Mohamed Ibrahim

ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, php, python, java, javascript, nodejs, react); plays_on(xbox, ps4); linux_desktop_user(true); }