How to view all ssl certificates in a bundle?

http://comments.gmane.org/gmane.comp.encryption.openssl.user/43587 suggests this one-liner:

openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -text -noout

It indeed worked for me, but I don't understand the details so can't say if there are any caveats.

updated june 22:

for openssl 1.1.1 and higher: a single-command answer can be found here serverfault.com/a/1079893 (openssl storeutl -noout -text -certs bundle.crt)

Java's keytool does the trick:

keytool -printcert -v -file <certs.crt>

Annotation: Windows doubleclick does not work. Windows reads only the first certificate in the keystore and automatically extends the trustchain from its built in certificate store.

Results:

1. All beyond the first certificate in the .crt file are not shown
2. You may get a different trustchain displayed than you have in the .crt file. This may lead to wrong conclusions.

Oneliner that displays a summary of every certificate in the file.

openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -noout

It combines all the certificates into a single intermediate PKCS7 file, and then parses the information in each part of that file.

(The same as Beni's answer, but this gives shorter output, without the -text option).

example:

$ openssl crl2pkcs7 -nocrl -certfile bundled.crt | openssl pkcs7 -print_certs -noout

subject=/C=NL/postalCode=5705 CN/L=City/street=Example 20/O=Foobar B.V./OU=ICT/OU=Wildcard SSL/CN=*.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA

subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Roo

Following this FAQ led me to this perl script, which very strongly suggests to me that openssl has no native support for handling the n^th certificate in a bundle, and that instead we must use some tool to slice-and-dice the input before feeding each certificate to openssl. This perl script, freely adapted from Nick Burch's script linked above, seems to do the job:

#!/usr/bin/perl
# script for splitting multi-cert input into individual certs
# Artistic Licence
#
# v0.0.1         Nick Burch <[email protected]>
# v0.0.2         Tom Yates <[email protected]>
#

$filename = shift;
unless($filename) {
  die("You must specify a cert file.\n");
}
open INP, "<$filename" or die("Unable to load \"$filename\"\n");

$thisfile = "";

while(<INP>) {
   $thisfile .= $_;
   if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) {
      print "Found a complete certificate:\n";
      print `echo \'$thisfile\' | openssl x509 -noout -text`;
      $thisfile = "";
   }
}
close INP;

openssl storeutl -noout -text -certs bundle.crt

Paraphrasing from the OpenSSL documentation:

The openssl storeutl app was added in OpenSSL 1.1.1.

The storeutl command can be used to display the contents fetched from the given URIs.

• -noout prevents output of the PEM data
• -text prints out the objects in text form, like the -text output from openssl x509
• -certs Only select the certificates from the given URI

Since there is no awk based solution:

$ cat ca-bundle | awk '/BEGIN/ { i++; } /BEGIN/, /END/ { print > i ".extracted.crt" }'
$ ls *.extracted.crt | while read cert; do openssl x509 -in $cert -text -noout; done

The first command split bundle into certs by looking for BEGIN, and END lines. The second command loops through the extracted certs and shows them.

This may not be pretty, or elegant, but it was quick and worked for me using bash on linux, and PEM formatted blocks in a ca-cert bundle file.

while read line
do
    if [ "${line//END}" != "$line" ]; then
        txt="$txt$line\n"
        printf -- "$txt" | openssl x509 -subject -issuer -noout
        txt=""
    else
        txt="$txt$line\n"
    fi
done < /path/to/bundle/file

You can put it all one line, and adjust the openssl options to suit. I really wish there were a more elegant solution for this, but in this case I think finding the more elegant solution would have taken more time than hacking out the inelegant one.

Try this script: https://github.com/jkolezyn/cert_tree

It prints certificates in a pem bundle as a tree, built based on Subject and Issuer fields.

It prints a tree like this:

cert_tree.py -p ~/.certs/ca_list.pem  
━ CorpRoot            [1]
    ┣━ ServerCA       [2]
    ┣━ example_cert   [3]
    ┗━ example_2      [8]
━ RootCert            [4]
    ┣━ example_cert3  [5] [EXPIRED on: 2019-06-03 13:26:21]
    ┣━ other          [6]
    ┣━ other1         [7] [EXPIRED on: 2017-06-16 21:12:18]
    ┗━ AnotherOne     [9]

cert_tree.py -pe ~/.certs/mycert.pem
━ RootCert                [3] [valid until: 2031-07-08 17:57:15]
    ┗━ IntermediateCert   [2] [valid until: 2023-07-08 18:55:58]
        ┗━ UserCert       [1] [valid until: 2023-09-17 13:33:00]

In bash usually only one (long) line of code is needed :-)

tfile=$( mktemp -u ) && \
csplit -z -q -f "$tfile" bundle.crt  '/----BEGIN CERTIFICATE-----/' '{*}' && \
find "${tfile%/*}" -name "${tfile##*/}*" -exec openssl x509 -noout -subject -in "{}" \; -delete

I'd like to throw in the idiomatic perl commandline here:

  perl -ne "\$n++ if /BEGIN/; print if \$n == 1;" mysite.pem

If there's text then a slightly more robust tweak:

 perl -ne "\$n++ if /^-----BEGIN CERTIFICATE-----\$/; print if \$n == 3 && /^-----BEGIN CERTIFICATE-----\$/.../^-----END CERTIFICATE-----\$/;" mysite.pem

Just change the value of what n should be in the second statement to get the nth certificate.