openssl x509: If you mean the Subject and/or Issuer field(s), the simplest and most readable way (IMO) is
openss x509 -in certpemfile -noout -text -nameopt multiline,show_type
or if you want only the name field(s) change -text
to -subject
and/or -issuer
. There are other formats, and if you want non-trivially encoded data to display usably you may need additional options; see the man page on your system or at https://www.openssl.org/docs/apps/x509.html#NAME-OPTIONS . If your input is "DER" (binary) not the much more common "PEM" (textual), add -inform der
.
If you mean extensions than can contain (Distinguished)Name fields -- I count SAN/IAN, NameConstraints, CRLDP, AIA/SIA, although I don't see how DN would be useful in the latter three, and there are surely more -- that's not supported that I know of. But see next.
other: openssl asn1parse
dumps the exact types, lengths, and mostly values of any ASN.1 BER/DER structure, including a cert. For X.509-form extensions (wrapped in OCTET STRING) you can use -strparse offset
to ASN.1-decode the nested structure. Identifying and selecting desired fields is your job and in general can be difficult, but since both DNs and extensions label each of their elements with a preceding OID (which OpenSSL calls just OBJECT) and asn1parse
decodes all OIDs known to openssl (and you can give it additional ones) you can usually just visually scan for countryName
, commonName
and the like. Note on PEM: many openssl
functions create or accept and ignore "comments" in PEM-format data, but asn1parse
does NOT. It will handle the dash-BEGIN and dash-END lines, but almost anything else it will treat as part of the data causing wrong results. Verify your input file (or pipe or whatever) contains only the one cert.