How much a stranger can learn about my certificate?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: s2.opuntia.ca

I ran this command: N/A

It produced this output: N/A

My web server is (include version): do not have a website, instead I use the certificates for other applications.

The operating system my web server runs on is (include version): ubuntu 22.04

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.10.0

I am looking for a web portal where we can verify a certificate issued by letsencrypt, showing relevant email address and other info associated with the certificate. I do not mean something like https://crt.sh, as it does not show such info. I already found something like this in one of the topics here, but unfortunately cannot find it anymore.

Thanks in advance for your help

I am looking for a web portal where we can verify a certificate issued by letsencrypt, showing relevant email address and other info associated with the certificate.

That information is not public.

7 Likes

Hello @arad, welcome to the Let's Encrypt community. :slightly_smiling_face:

"How to verify a certificate without an active website?"
Use the DNS-01 challenge of the Challenge Types - Let's Encrypt.

Or if you are saying you have an issued certificate you wish to check
sudo cat /etc/letsencrypt/live/s2.opuntia.ca/fullchain.pem

Each certificate will be surrounded with
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

And you can manually check each certificate in the chain with an online tool such as
https://redkestrel.co.uk/tools/decoder

4 Likes

crt.sh shows 100% of the available information about the certificate -- all of the information contained in the cert itself, and all of the extra information which can be gleaned from its issuer and revocation URLs.

It's unclear what you mean by "verify a certificate". Usually that would mean that you want to check that the signature is valid, and that the issuer is (transitively) trusted by your root store. It sounds like you want to... manually check some of the certificate details? What is your goal here?

7 Likes

Hi Aaron and thanks for the quick response!

Yes, I do not necessarily look for verification of my certificate, I just want to know how much a stranger can learn about who owns a certificate, like my email address, etc.

Thanks!

3 Likes

Thanks for clarifying. A stranger can only know the same things as crt.sh displays. If you provide an email address to your ACME client (which is always optional), that address is not tied to your certificates in any externally visible way.

7 Likes

Thanks again for your help!

4 Likes

For Domain Validation (DV) certificates, not much information about the Subject: is in the Certificate. There are Organization Validation (OV) certificates and Extended Validation (EV) certificates the Subject: generally carries a bit information; they are not that common today (in my opinion). So it is possible that an OV or EV might have an email address in it.

4 Likes

Also, on your Ubuntu command line, you can get this information for yourself from a certificate file by running the openssl x509 command on it.

For example

openssl x509 -text -noout -in cert.pem

where cert.pem is a certificate file on your Ubuntu system. You'll see some detailed output that represents all of the contents of that particular certificate.

(The -text option says that you want a textual description of the certificate contents, and the -noout option says that you don't want OpenSSL to output an additional machine-readable copy of the certificate data.)

4 Likes

Thanks guys for your quick and helpful responses.
This forum is awesome!

3 Likes