How to print all certs in a bundle with command line openssl(1)

  • Thu 07 October 2021
  • misc

There are a whole bunch of tools out there for printing out the content of all certificates, but the one I've habitually used is openssl x509 -text -noout < server.crt.

Problem is, that stops executing after the first certificate in the bundle. What if I want to see all the certs in a trust chain or root bundle? Recent issues with LetsEncrypt and a CA cross-signing have made brought this to the fore.

There are a lot of utilities for this, one that comes with Gnu TLS and one that is part of a Java management suite come immediately to mind. If you look on serverfault you'll find a lot of examples of multi-line bash, perl, etc. scripts that will chop up into intermediate files etc. Messy.

It turns out that openssl can do this on its own.

openssl storeutl -noout -text server-fullchain.crt

Note that the first form is reading on stdin and the second form most emphatically is not.