Openssl x509 print "Subject Alternative Name" (SAN)?


#1

Is there a command to print the cert “Subject Alternative Name” (SAN) with openssl x509 -in ?

I have found only a command to print the “common name”: -subject

Please without -text


#2

Hi @slart, I’ve never seen a way to do that. I just did a search and found that people have asked the same question on StackOverflow a number of times, and all of the answers appeared to suggest parsing the output from -text, or else writing a program to do it.

We do have logic in Certbot to do this from Python, and you can find it in

if you wanted to try to adapt it into a standalone Python program.

I also looked at certtool from GNUTLS, which sometimes has options that openssl doesn’t, but I didn’t see an easy way to do this with that program either.


#3

I checked and the actual implementation is at

Note that it’s doing regular expression parsing of the text output, only within Python. According to the comment, there is apparently a nicer way to do it that’s less backwards-compatible.


#4

Hi slart

Have a look at HTTPSforFree Code.

var domains = [];
try{
var csrAsn1 = ASN1.decode(Base64.decode(unarmor.exec(csr)[1]));

    // look for commonName in attributes
    if(csrAsn1.sub[0].sub[1].sub){
        var csrIds = csrAsn1.sub[0].sub[1].sub;
        for(var i = 0; i < csrIds.length; i++){
            var oidRaw = csrIds[i].sub[0].sub[0];
            var oidStart = oidRaw.header + oidRaw.stream.pos;
            var oidEnd = oidRaw.length + oidRaw.stream.pos + oidRaw.header;
            var oid = oidRaw.stream.parseOID(oidStart, oidEnd, Infinity);
            if(oid === "2.5.4.3"){
                var cnRaw = csrIds[i].sub[0].sub[1];
                var cnStart = cnRaw.header + cnRaw.stream.pos;
                var cnEnd = cnRaw.length + cnRaw.stream.pos + cnRaw.header;
                domains.push(cnRaw.stream.parseStringUTF(cnStart, cnEnd));
            }
        }
    }

    // look for subjectAltNames
    if(csrAsn1.sub[0].sub[3].sub){

        // find the PKCS#9 ExtensionRequest
        var xtns = csrAsn1.sub[0].sub[3].sub;
        for(var i = 0; i < xtns.length; i++){
            var oidRaw = xtns[i].sub[0];
            var oidStart = oidRaw.header + oidRaw.stream.pos;
            var oidEnd = oidRaw.length + oidRaw.stream.pos + oidRaw.header;
            var oid = oidRaw.stream.parseOID(oidStart, oidEnd, Infinity);
            if(oid === "1.2.840.113549.1.9.14"){

                // find any subjectAltNames
                for(var j = 0; j < xtns[i].sub[1].sub.length ? xtns[i].sub[1].sub : 0; j++){
                    for(var k = 0; k < xtns[i].sub[1].sub[j].sub.length ? xtns[i].sub[1].sub[j].sub : 0; k++){
                        var oidRaw = xtns[i].sub[1].sub[j].sub[k].sub[0];
                        var oidStart = oidRaw.header + oidRaw.stream.pos;
                        var oidEnd = oidRaw.length + oidRaw.stream.pos + oidRaw.header;
                        var oid = oidRaw.stream.parseOID(oidStart, oidEnd, Infinity);
                        if(oid === "2.5.29.17"){

                            // add each subjectAltName
                            var sans = xtns[i].sub[1].sub[j].sub[k].sub[1].sub[0].sub;
                            for(var s = 0; s < sans.length; s++){
                                var sanRaw = sans[s];
                                var tag = sanRaw.tag.tagNumber;
                                if(tag !== 2)
                                    continue; // ignore any other subjectAltName type than dNSName (2)
                                var sanStart = sanRaw.header + sanRaw.stream.pos;
                                var sanEnd = sanRaw.length + sanRaw.stream.pos + sanRaw.header;
                                domains.push(sanRaw.stream.parseStringUTF(sanStart, sanEnd));
                            }
                        }
                    }
                }
            }
        }
    }
}

#5

esentially you need to use a AS1N parsing tool and look for an oid which has sans


#6

Ooops. I had searched for a simpler way than “… -text | grep …”. :wink:


#7

so did you find a better way? if so share with the class please :smiley:


#8

openssl x509 -in XXX.crt -text -noout | grep ‘DNS:’ is probably the best. Any particular reason you want to avoid ‘-text’?

If you are using Perl, the following for example would work too:

perl -MCrypt::OpenSSL::X509 -e “print Crypt::OpenSSL::X509->new_from_file(‘XXX.crt’)->extensions_by_name()->{‘subjectAltName’}->value;”

NB: The above will fail if SAN is not present, but I guess in this particular case it’s irrelevant.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.