≡ Menu

How to get common name (CN) from SSL certificate using openssl command

I configured and installed a TLS/SSL certificate in /etc/ssl/ directory on Linux server. I was wondering if can I find out the common name (CN) from the certificate using the Linux or Unix command line option?

Yes, you find and extract the common name (CN) from the certificate using openssl command itself.

What is the Common Name?

The common name (CN) is nothing but the computer/server name associated with your SSL certificate. For example, www.cyberciti.biz or cyberciti.biz or *.cyberciti.biz is CN for this website. The CN usually indicate the host/server/name protected by the SSL certificate. Your SSL certificate is valid only if hostname matches the CN. Your browser can display the CN:

Fig.01: Example of host name and CN match giving out green  icon

Fig.01: Example of host name and CN match giving out green icon

How do I get common name (CN) from SSL certificate?

The syntax is:
openssl x509 -noout -subject -in your-file.pem
openssl x509 -noout -subject -in exmaple.com.cer
openssl x509 -noout -subject -in /etc/ssl/exmaple.com.cer

For example:
$ openssl x509 -noout -subject -in /etc/ssl/glusterfs.pem
Sample outputs:

subject= /CN=gfs01

Another example:
$ openssl x509 -noout -subject -in /etc/ssl/cyberciti.biz.crt
Sample outputs:

subject= /CN=www.cyberciti.biz

Say hello to certtool command

You can install certtool using the gnutls-bin package on Debian or Ubuntu Linux. Type the following apt-get command/apt command:
$ sudo apt install gnutls-bin
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
The following NEW packages will be installed:
  gnutls-bin libopts25
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 250 kB of archives.
After this operation, 990 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://mirrors.linode.com/ubuntu xenial/main amd64 libopts25 amd64 1:5.18.7-3 [57.8 kB]
Get:2 http://mirrors.linode.com/ubuntu xenial-updates/universe amd64 gnutls-bin amd64 3.4.10-4ubuntu1.2 [192 kB]
Fetched 250 kB in 0s (14.3 MB/s)     
Selecting previously unselected package libopts25:amd64.
(Reading database ... 34082 files and directories currently installed.)
Preparing to unpack .../libopts25_1%3a5.18.7-3_amd64.deb ...
Unpacking libopts25:amd64 (1:5.18.7-3) ...
Selecting previously unselected package gnutls-bin.
Preparing to unpack .../gnutls-bin_3.4.10-4ubuntu1.2_amd64.deb ...
Unpacking gnutls-bin (3.4.10-4ubuntu1.2) ...
Processing triggers for libc-bin (2.23-0ubuntu5) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up libopts25:amd64 (1:5.18.7-3) ...
Setting up gnutls-bin (3.4.10-4ubuntu1.2) ...
Processing triggers for libc-bin (2.23-0ubuntu5) ...

Now run command as follows:
$ certtool -i < your-file.pem
$ certtool -i < /etc/ssl/cyberciti.biz.crt | more

Sample outputs:

X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 03bb567f2ab8cd904f4168e159115389351b
	Issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
		Not Before: Sat Mar 04 23:01:00 UTC 2017
		Not After: Fri Jun 02 23:01:00 UTC 2017
	Subject: CN=www.cyberciti.biz
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: High (4096 bits)

And there you have it, either use the openssl or certtool command to find out the common name (CN) from your SSL certificate.

Share this tutorial on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:

{ 1 comment… add one }
  • Blake March 16, 2017, 4:37 am

    Awesome site even though I’ve been using Linux for years, thanks! Keep it up!

    Anyway, for SSL troubleshooting I ran across this tool on sourcefore the other day which can handle most tasks including the common name. http://portecle.sourceforge.net/ Hope this helps, I found it very helpful for examining, generating, and importing certificates anywhere!

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">

   Tagged with: , ,