I have a X509 PEM file with content like
-----BEGIN CERTIFICATE-----
MIIDaaaaaaa==
-----END CERTIFICATE-----
To get its common name (CN, understood as the url where it can be used).
As the red square shows, a modern browser can read CN from a PEM file.
However, I do not find such from output of openssl x509 --help
.
OpenSSL's command-line tools do not provide a way to extract just the common name from a certificate's subject distinguished name.
You have to parse the text yourself some way.
Per OpenSSL'x x509
man page, you can use -subject
to get the subject's distinguished name:
OPTIONS
Input, Output, and General Purpose Options
...
-subject
Outputs the subject name.
...
But you want just the common name from that DN. There's also
-nameopt option
Option which determines how the subject or issuer names are displayed. The option argument can be a single option or multiple options separated by commas. Alternatively the
-nameopt
switch may be used more than once to set multiple options. See the NAME OPTIONS section for more information.
and from that NAME OPTIONS section there is
multiline
A multiline format. It is equivalent esc_ctrl, esc_msb, sep_multiline, space_eq, lname and align.
Splitting the subject DN components across multiple lines makes automated parsing trivial.
Using
openssl x509 -in filnname.pem -noout -subject -nameopt multiline
will produce output like
subject=
commonName = CommonName
.
.
.
organizationName = OrgName
countryName = Country
If you're running on Linux, you can process that text output:
openssl x509 -in file.pem -noout -subject -nameopt multiline |\
grep commonName | awk '{ print $3 }'
If you need to handle spaces in the common name:
openssl x509 -in file.pem -noout -subject -nameopt multiline |\
grep commonName | awk '{ $1=$2=""; print $3 }'
Unfortunately, that will replace each instance of multiple spaces in the common name with a single space. Normally, spaces are not found in certificate common names, but they are possible.
And "CN, understood as the url where it can be used" is not correct. The subject common name can be the URL, but the CN's use in validating a web site has been deprecated for over 20 years:
Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
Subject alternative names are used:
As noted, a client MUST NOT seek a match for a reference identifier of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client.
Browsers such as Chrome and Firefox have been ignoring subject common names when doing certificate validation for about five years now.