Skip to main content

Linux : How to get certificate information from a certificate

 As an engineer, administrator, operator, or developer, sometimes you need to learn certificate information from an application, host system, or whatever else. Almost all modern browsers allow you to get certificate information by simply clicking a red/green or crossed lock icon or following page information agents.

But sometimes you can't use browsers, and you can't leave your CLI session due to a lack of connection problem or other factors. You can use the OpenSSL CLI tool to get basic certificate information on Linux. Openssl is a handy tool that allows you to save a bunch of certificate-based requirements, including getting certificates, renewing, generating a new one and of course getting information from them.


In this article, you simply get the certificate information from a saved certificate.


[ozgurkkisa@workstation]$ openssl x509 -in \
  wildcard-api.pem -noout -subject -issuer -ext 'subjectAltName' -dates
subject=C = US, ST = NC, L = Raleigh, O = "Red Hat, Inc.", OU = Training, CN = *.apps.ocp4.example.com
issuer=C = US, ST = NC, L = Raleigh, O = "Red Hat, Inc.", OU = Training, CN = GLS Training Classroom Certificate Authority
X509v3 Subject Alternative Name:
    DNS:*.apps.ocp4.example.com, DNS:api.ocp4.example.com
notBefore=Sep  2 14:11:33 2021 GMT
notAfter=Aug 31 14:11:33 2031 GMT

As seen above, I run the command :
OpenSSL x509 -in \
  wildcard-api.pem -noout -subject -issuer -ext 'subjectAltName' -dates

wildcard-api. pem is my certificate that is stored on my workstation, also called the subject name, Subject alternative name, issuer information, and certificate creation and expiration date. As you see, the issuer is Redhat, the certificate DNS name is a wildcard domain name *.app.ocp4.example.com and alternative names are *.app.ocp4.example.com and app.ocp4.example.com

It will expire on 31 Aug 2031
 
If you want the certificate to be in file form, you need to get the certificate from the server. To accomplish this, use OpenSSL again by running it this way :




[ozgurkkisa@workstation]$ openssl s_client -connect www.google.com:443 -showcerts
The command would show you the connection certificates as a screen output. To save the output as a file, simply select the output with begun with ---- BEGIN CERTIFICATE ----- until  ----END CERTIFICATE ------ and paste information into an empty file.

Another handy method is just putting  > ~/google.cer line to the at the end of the original command above.

Note: The command above shows you the output, but you cannot back to the console automatically. You need to press ctrl+c to quit. For the method above, you should press ctrl+c to exit so the file would be created.

I think this simple information will be handy for further operations and your action plans.


See you soon, all techies!
Labels:

Comments

Post a Comment

Popular posts from this blog

Openshift/K8S : Get routes hostnames and learn their reachability

  Undoubtedly, route have a key role to accessing your pods and their applications inside.  You may want to learn your whole Kubernetes or Openshift routes and their hostnames. Also you want to learn reachability of them. Here comes a shortcut! First step is creating a variable : hosts=$(oc get route -A \ -o jsonpath='{.items[*].spec.host}') You can ensure that just getting the hostnames,  rather than any other info by running : echo $hosts After this point we need a series of shell command to get names and HTTP status of our routes. For this task, write out the codes shown below :  for host in $hosts ; do \ curl https://$host -k -w "%{url_effective} %{http_code}\n" -o /dev/null -s ; \ done https://oauth-openshift.apps.ocp4.ozgurkkisa.com/ 403 https://console-openshift-console.apps.ocp4.ozgurkkisa.com/ 200 https://downloads-openshift-console.apps.ocp4.ozgurkkisa.com/ 200 https://alertmanager-main-openshift-monitoring.apps.ocp4.ozgurkkisa.com/ 403 https://grafan
Post a Comment
Read more

K8S/OPENSHIFT: POD CRASHING,SECURITY CONTEXT CONTRAINTS PROBLEM?

  Your new daily given task is creating a new app in a new namespace. You investigated and found your image. Then you started to create your app. After app created you checked and realized that the your new apps pod is not starting! Here look at this example. I Used gitlab here as an instance. [ozgurk@myworkstation ~]$ oc new-app --name gitlab \ > --docker-image quay.io/redhattraining/gitlab-ce:8.4.3-ce.0 --> Creating resources ... imagestream.image.openshift.io "gitlab" created deployment.apps "gitlab" created service "gitlab" created --> Success  Until here, everything looking normal. Check your pod status :  [ozgurk@myworkstation ~]$ oc get pods NAME READY STATUS RESTARTS AGE gitlab-6d61db3479-yyjl 0/1 Error 1 43s As seen above, our pod is in a trouble. It's better to start investigation from pod logs. [ozgurk@myworkstation ~]$ oc logs pod/ gitlab-6d61db3479-yyjl ===========
Post a Comment
Read more

OPENSHIFT/K8S: Enable HTPasswd Authentication for your Openshift Cluster

 Openshift provides different kind of authentication mechanisms for authentication. Openshift comes with a default kubeadmin user as a factory default. In addition to default admin, in real world you want different users with different permission levels to separate roles.  You can use Ldap, Github or Github Enterprise, Keystone Server, OpenID Connect or HTPasswd authentication. All these methods are named as Identity providers.All methods are external solutions or requires additional servers/services to deploy to authenticate except HTPasswd authentication. HTPasswd authentication  consist of simple and locally managed password files. Simply, you define usernames and equivalent password for them. htpasswd file contains a list of users and their secrets. HTPasswd files keeps users password encrypted by several encryption algorithms like, MD5(default), SHA1, SHA256 and Bcrypt (Most secure for htpasswd.) Screenshot 1- A simple and sample htpasswd file A simple htpasswd file is similar to
Post a Comment
Read more