Understanding X509 Certificate with Openssl Command

Table of Contents

X.509 is a standard format for public key certificates, digital documents that securely associate cryptographic key pairs with identities such as websites, individuals, or organizations. It can be used for authenticated and encrypted web browsing, signed and encrypted email etc.

X509 Certificate Version

  • X.509 Version 1 has been available since 1988, is widely deployed, and is the most generic.
  • X.509 Version 2 introduced the concept of subject and issuer unique identifiers to handle the possibility of reuse of subject and/or issuer names over time. Most certificate profile documents strongly recommend that names not be reused, and that certificates should not make use of unique identifiers. Version 2 certificates are not widely used.
  • X.509 Version 3 is the most recent (1996) and supports the notion of extensions, whereby anyone can define an extension and include it in the certificate. Some common extensions in use today are: KeyUsage (limits the use of the keys to particular purposes such as “signing-only”) and AlternativeNames (allows other identities to also be associated with this public key, e.g. DNS names, Email addresses, IP addresses). Extensions can be marked critical to indicate that the extension should be checked and enforced/used. For example, if a certificate has the KeyUsage extension marked critical and set to “keyCertSign” then if this certificate is presented during SSL communication, it should be rejected, as the certificate extension indicates that the associated private key should only be used for signing certificates and not for SSL use.

X509 Certificate Structure

Each X.509 certificate includes a public key, digital signature, and information about both the identity associated with the certificate and its issuing certificate authority (CA):

  • The public key is part of a key pair that also includes a private key. The private key is kept secure, and the public key is included in the certificate.
  • A digital signature is an encoded hash (fixed-length digest) of a document that has been encrypted with a private key. When an X.509 certificate is signed by a publicly trusted CA, such as, the certificate can be used by a third party to verify the identity of the entity presenting it.

X509 Certificate Field

  • Subject is the name of the user encoded as a distinguished name (the format for distinguished names is explained shortly).
  • Subject’s public key includes not only the key itself, but also information such as the algorithm used to generate the public key.
  • Issuer’s Subject is the CA’s distinguished name.

X509 Certificate filename extensions

There are several commonly used filename extensions for X.509 certificates. Some of these extensions are also used for other data such as private keys.

  • .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“
  • .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
  • .p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
  • .p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)
  • .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)

Check x509 Certificate info with Openssl Command

  • Display the contents of a certificate: openssl x509 -in cert.pem -noout -text
  • Display the certificate serial number: openssl x509 -in cert.pem -noout -serial
  • Display the certificate subject name: openssl x509 -in cert.pem -noout -subject
  • Display the certificate subject name in RFC2253 form: openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
  • Display the certificate subject name in oneline form on a terminal supporting UTF8: openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
  • Display the certificate SHA1 fingerprint: openssl x509 -sha1 -in cert.pem -noout -fingerprint

Convert x509 Certificate info with Openssl Command

  • Convert a certificate from PEM to DER format: openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
  • Convert a certificate to a certificate request: openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
  • Convert a certificate request into a self signed certificate using extensions for a CA: openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ -signkey key.pem -out cacert.pem
  • Sign a certificate request using the CA certificate above and add user certificate extensions: openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ -CA cacert.pem -CAkey key.pem -CAcreateserial


David Cao
David Cao

Hey there! I am David, a Cloud & DevOps Enthusiast and 18 years of experience as a Linux engineer. I work with AWS, Git & GitHub, Linux, Python, Ansible, and Bash. I am a technical blogger and a Software Engineer, enjoy sharing my learning and contributing to open-source.