Home / server / Questions / 642230
In Process
dotancohen
Asked: 2014-11-06 07:16:49 +0800 CST

Recover organisational information from SSL cert / key

  • 772

I am administering an RHEL 6.6 server which I inherited from an admin the company no longer has contact with. I need to replace the SSL cert, for which some information regarding the physical organisation is needed:

$ openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout example.com.key -out example.com.csr
Generating a 2048 bit RSA private key
..........+++
.........................................................+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New Jersey
Locality Name (eg, city) []:Salem
Organization Name (eg, company) [Internet Widgits Pty Ltd]:International Widgets
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:International Widgets

Given the extant SSL cert or key, how might I recover the organisational information used? I'm not sure how critical it is that this information match what was there before, but I would rather be safe than sorry. Unfortunately, this being an online business there is no single physical address to simply use, and the business is split between four owners none of whom know whose information was in the original cert.

Maybe it really doesn't matter if I simply answer everything "foobar", but I cannot assume that.

I tried using the openssl tool to get the information, but nothing of interest came up:

$ openssl x509 -text -in example.com.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1xxxxxxxxxx1 (0x4xxxxxxxb)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287
        Validity
            Not Before: Aug 11 12:16:01 2014 GMT
            Not After : Aug 11 12:16:01 2015 GMT
        Subject: OU=Domain Control Validated, CN=*.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                    7d:05:34:ac:7f:e2:c2:13:d3:56:9e:4e:fb:57:e3:
                    ...
                    16:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.godaddy.com/gds1-112.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/

            Authority Information Access: 
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gd_intermediate.crt

            X509v3 Authority Key Identifier: 
                keyid:FD:AC:xx:xx:xx:xx:xx:xx:xx:CC:E7

            X509v3 Subject Alternative Name: 
                DNS:*.example.com, DNS:example.com
            X509v3 Subject Key Identifier: 
                1C:EB:xx:xx:xx:xx:xx:xx:F0:2F
    Signature Algorithm: sha1WithRSAEncryption
         ...
         43:fd:fb:92:8b:ee:82:0e:63:db:4f:dc:66:46:0f:fb:ac:de:
         ...
         d8:a5:89:eb
-----BEGIN CERTIFICATE-----
...
ODcwHhcNMTQwODIxMTAyNjA2WhcNMTUwODIxMTAyNjA2WjA8MSEwHwYDVQQLExhE
xZHYpYnr
-----END CERTIFICATE-----
apache-2.2

2 Answers

  1. You should be able to get the correct info by using this command: (note that you'll want to use the CSR, and not the CRT)

    openssl x509 -in example.com.csr -noout -text

    Towards the top of the output you'll see the Subject information.

    Example:

    [user@server ssl]# openssl req -in example.com.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=State, L=City, O=Default Company Ltd, CN=example.com/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
    • 2

  2. As was mentioned earlier, the importance of certificate detail accuracy tends to vary from vendor to vendor. The verification process also depends on the type of certificate you're getting. For example, "Extended Validation" certificates have a more rigorous approval process. In any event, I think it's good practice to make the information as accurate as possible.

    If you still have the previously signed certificate, you can absolutely use the openssl command @Alex suggested.

    Here's a variation of it: openssl x509 -in example.crt -text -noout | grep -i "Subject:"

    That should isolate just the Subject: details of the cert and show the attributes. For example, you could get output like: 

     Subject: C=US, ST=California, L=San Francisco, O=Example Company, OU=IT Services, CN=somewebaddress.example.com
    • 1