sslhttpsopensslpem

openssl -- extract common name from a PEM file


I have a X509 PEM file with content like

-----BEGIN CERTIFICATE-----
MIIDaaaaaaa==
-----END CERTIFICATE-----

To get its common name (CN, understood as the url where it can be used). As the red square shows, a modern browser can read CN from a PEM file. However, I do not find such from output of openssl x509 --help.

enter image description here


Solution

  • OpenSSL's command-line tools do not provide a way to extract just the common name from a certificate's subject distinguished name.

    You have to parse the text yourself some way.

    Per OpenSSL'x x509 man page, you can use -subject to get the subject's distinguished name:

    OPTIONS

    Input, Output, and General Purpose Options

    ...

    -subject

    Outputs the subject name.

    ...

    But you want just the common name from that DN. There's also

    -nameopt option

    Option which determines how the subject or issuer names are displayed. The option argument can be a single option or multiple options separated by commas. Alternatively the -nameopt switch may be used more than once to set multiple options. See the NAME OPTIONS section for more information.

    and from that NAME OPTIONS section there is

    multiline

    A multiline format. It is equivalent esc_ctrl, esc_msb, sep_multiline, space_eq, lname and align.

    Splitting the subject DN components across multiple lines makes automated parsing trivial.

    Using

    openssl x509 -in filnname.pem -noout -subject -nameopt multiline
    

    will produce output like

    subject=
        commonName          = CommonName
         .
         .
         .
        organizationName    = OrgName
        countryName         = Country
    

    If you're running on Linux, you can process that text output:

    openssl x509 -in file.pem -noout -subject -nameopt multiline |\
        grep commonName | awk '{ print $3 }'
    

    If you need to handle spaces in the common name:

    openssl x509 -in file.pem -noout -subject -nameopt multiline |\
        grep commonName | awk '{ $1=$2=""; print $3 }'
    

    Unfortunately, that will replace each instance of multiple spaces in the common name with a single space. Normally, spaces are not found in certificate common names, but they are possible.

    And "CN, understood as the url where it can be used" is not correct. The subject common name can be the URL, but the CN's use in validating a web site has been deprecated for over 20 years:

    Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

    Subject alternative names are used:

    As noted, a client MUST NOT seek a match for a reference identifier of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client.

    Browsers such as Chrome and Firefox have been ignoring subject common names when doing certificate validation for about five years now.