X.509

X.509 certificate structure and deep inspection patterns.

Certificate Structure

An X.509 certificate contains these fields:

Version:             v3 (most common)
Serial Number:       Unique ID from the CA
Signature Algorithm: sha256WithRSAEncryption or ecdsa-with-SHA384
Issuer:              The CA that signed this certificate
Validity:            Not Before / Not After dates
Subject:             The entity this certificate represents
Public Key:          The subject's public key
Extensions:          SAN, Key Usage, EKU, Basic Constraints, CRL, OCSP

Inspect Certificate Fields

Full certificate dump

openssl x509 -in cert.pem -text -noout

Subject and issuer only

openssl x509 -in cert.pem -noout -subject -issuer

Validity dates

openssl x509 -in cert.pem -noout -dates

Serial number

openssl x509 -in cert.pem -noout -serial

Subject Alternative Names — the modern identity field

openssl x509 -in cert.pem -noout -ext subjectAltName

Key Usage and Extended Key Usage

openssl x509 -in cert.pem -noout -ext keyUsage,extendedKeyUsage

Basic Constraints — CA:TRUE or CA:FALSE, pathlen

openssl x509 -in cert.pem -noout -ext basicConstraints

Authority and Subject Key Identifiers

openssl x509 -in cert.pem -noout -ext authorityKeyIdentifier,subjectKeyIdentifier

Key Usage Values

digitalSignature  — TLS handshake, code signing
keyEncipherment   — RSA key exchange in TLS
dataEncipherment  — Direct data encryption (rare)
keyCertSign       — CA certificates: can sign other certs
cRLSign           — CA certificates: can sign CRLs
keyAgreement      — ECDH key exchange

Extended Key Usage Values

serverAuth        — TLS server (web, API)
clientAuth        — TLS client (EAP-TLS, mutual TLS)
codeSigning       — Signed binaries
emailProtection   — S/MIME email
OCSPSigning       — OCSP responder
timeStamping      — Trusted timestamps

Compare Two Certificates

Compare subjects side by side

diff <(openssl x509 -in cert1.pem -noout -subject -dates -serial) \
     <(openssl x509 -in cert2.pem -noout -subject -dates -serial)

Check if a key matches a certificate — modulus comparison for RSA

diff <(openssl x509 -in cert.pem -noout -modulus) \
     <(openssl rsa -in key.pem -noout -modulus)

If the output is empty, the key and certificate match.

Check if a CSR matches a key

diff <(openssl req -in cert.csr -noout -modulus) \
     <(openssl rsa -in key.pem -noout -modulus)

ASN.1 Deep Inspection

Dump raw ASN.1 structure — for debugging malformed certificates

openssl asn1parse -in cert.pem

Parse a specific offset in the ASN.1 structure

openssl asn1parse -in cert.pem -strparse 4

Certificate Transparency

Check if a certificate has an SCT — Signed Certificate Timestamp

openssl x509 -in cert.pem -noout -ext ct_precert_scts 2>/dev/null

Query Certificate Transparency logs for a domain

curl -s "https://crt.sh/?q=%.inside.domusdigitalis.dev&output=json" | \
    jq '.[] | {id, name_value, not_after}'

Self-Signed Detection

Check if a certificate is self-signed — issuer equals subject

openssl x509 -in cert.pem -noout -subject -issuer | \
    awk -F= '/subject/{s=$NF}/issuer/{i=$NF} END{print (s==i) ? "self-signed" : "CA-signed"}'

Batch Certificate Inspection

Inspect all PEM files in a directory

for cert in /etc/ssl/certs/*.pem; do
    printf "\n=== %s ===\n" "$(basename "$cert")"
    openssl x509 -in "$cert" -noout -subject -issuer -dates 2>/dev/null || \
        echo "  (not a certificate)"
done