Extracting information from a pem file

The X.509 standard is used to manage digital certificates used for public key encryption. One of the filename extensions used for X.509 certificates is .pem, which stands for "Privacy Enhanced Mail". These certificates are Base64 encoded DER certificates. If you have a .pem certificate and want to view information about the contents of the certificate, you can do so with OpenSSL software, which is commonly found on Linux and Mac OS X systems, but is available for other operating systems as well. If you just want to view the expiration date for a certificate you can use an openssl command like the one below:

Anonymous Online: The Ultimate Guide to Online Privacy
Anonymous Online
The Ultimate Guide to Online Privacy
1x1 px

$ openssl x509 -enddate -noout -in cacert.pem
notAfter=Aug 13 23:59:00 2018 GMT
$

If you want to view the starting date for the certificate, you can use -startdate.

$ openssl x509 -startdate -enddate -noout -in cacert.pem
notBefore=Aug 13 00:29:00 1998 GMT
notAfter=Aug 13 23:59:00 2018 GMT
$

Parameters that can be used to extract information regarding the certificate include the following:

startdateStart date for the certificate to be valid
enddateExpiration date for the certificate
issuerCertificate issuer
subjectCertificate subject
hash Hash value for the certificate
purposePurpose for the certificate

E.g.:

Introduction to Encryption - Terminology and Technology
Introduction to Encryption
Terminology and Technology
1x1 px

$ openssl x509 -startdate -enddate -issuer -subject -hash -noout -in cacert.pem
notBefore=Aug 13 00:29:00 1998 GMT
notAfter=Aug 13 23:59:00 2018 GMT
issuer= /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTr
ust Global Root
subject= /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberT
rust Global Root
4d654d1d
$ openssl x509 -purpose -noout -in cacert.pem
Certificate purposes:
SSL client : Yes
SSL client CA : Yes (WARNING code=3)
SSL server : Yes
SSL server CA : Yes (WARNING code=3)
Netscape SSL server : Yes
Netscape SSL server CA : Yes (WARNING code=3)
S/MIME signing : Yes
S/MIME signing CA : Yes (WARNING code=3)
S/MIME encryption : Yes
S/MIME encryption CA : Yes (WARNING code=3)
CRL signing : Yes
CRL signing CA : Yes (WARNING code=3)
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes (WARNING code=3)
$

If you want to view additional information for the certificate, you can also use the -text option, instead as shown below:

Udemy - April2516-25off-sitewide120x600


$ openssl x509 -text -noout -in cacert.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 421 (0x1a5)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root
        Validity
            Not Before: Aug 13 00:29:00 1998 GMT
            Not After : Aug 13 23:59:00 2018 GMT
        Subject: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:95:0f:a0:b6:f0:50:9c:e8:7a:c7:88:cd:dd:17:
                    0e:2e:b0:94:d0:1b:3d:0e:f6:94:c0:8a:94:c7:06:
                    c8:90:97:c8:b8:64:1a:7a:7e:6c:3c:53:e1:37:28:
                    73:60:7f:b2:97:53:07:9f:53:f9:6d:58:94:d2:af:
                    8d:6d:88:67:80:e6:ed:b2:95:cf:72:31:ca:a5:1c:
                    72:ba:5c:02:e7:64:42:e7:f9:a9:2c:d6:3a:0d:ac:
                    8d:42:aa:24:01:39:e6:9c:3f:01:85:57:0d:58:87:
                    45:f8:d3:85:aa:93:69:26:85:70:48:80:3f:12:15:
                    c7:79:b4:1f:05:2f:3b:62:99
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
        6d:eb:1b:09:e9:5e:d9:51:db:67:22:61:a4:2a:3c:48:77:e3:
        a0:7c:a6:de:73:a2:14:03:85:3d:fb:ab:0e:30:c5:83:16:33:
        81:13:08:9e:7b:34:4e:df:40:c8:74:d7:b9:7d:dc:f4:76:55:
        7d:9b:63:54:18:e9:f0:ea:f3:5c:b1:d9:8b:42:1e:b9:c0:95:
        4e:ba:fa:d5:e2:7c:f5:68:61:bf:8e:ec:05:97:5f:5b:b0:d7:
        a3:85:34:c4:24:a7:0d:0f:95:93:ef:cb:94:d8:9e:1f:9d:5c:
        85:6d:c7:aa:ae:4f:1f:22:b5:cd:95:ad:ba:a7:cc:f9:ab:0b:
        7a:7f
$

OpenSSL usage options for X.509 are as follows:

usage: x509 args
 -inform arg     - input format - default PEM (one of DER, NET or PEM)
 -outform arg    - output format - default PEM (one of DER, NET or PEM)
 -keyform arg    - private key format - default PEM
 -CAform arg     - CA format - default PEM
 -CAkeyform arg  - CA key format - default PEM
 -in arg         - input file - default stdin
 -out arg        - output file - default stdout
 -passin arg     - private key password source
 -serial         - print serial number value
 -subject_hash   - print subject hash value
 -issuer_hash    - print issuer hash value
 -hash           - synonym for -subject_hash
 -subject        - print subject DN
 -issuer         - print issuer DN
 -email          - print email address(es)
 -startdate      - notBefore field
 -enddate        - notAfter field
 -purpose        - print out certificate purposes
 -dates          - both Before and After dates
 -modulus        - print the RSA key modulus
 -pubkey         - output the public key
 -fingerprint    - print the certificate fingerprint
 -alias          - output certificate alias
 -noout          - no certificate output
 -ocspid         - print OCSP hash values for the subject name and public key
 -ocsp_uri       - print OCSP Responder URL(s)
 -trustout       - output a "trusted" certificate
 -clrtrust       - clear all trusted purposes
 -clrreject      - clear all rejected purposes
 -addtrust arg   - trust certificate for a given purpose
 -addreject arg  - reject certificate for a given purpose
 -setalias arg   - set certificate alias
 -days arg       - How long till expiry of a signed certificate - def 30 days
 -checkend arg   - check whether the cert expires in the next arg seconds
                   exit 1 if so, 0 if not
 -signkey arg    - self sign cert with arg
 -x509toreq      - output a certification request object
 -req            - input is a certificate request, sign and output.
 -CA arg         - set the CA certificate, must be PEM format.
 -CAkey arg      - set the CA key, must be PEM format
                   missing, it is assumed to be in the CA file.
 -CAcreateserial - create serial number file if it does not exist
 -CAserial arg   - serial file
 -set_serial     - serial number to use
 -text           - print the certificate in text form
 -C              - print out C code forms
 -md2/-md5/-sha1/-mdc2 - digest to use
 -extfile        - configuration file with X509V3 extensions to add
 -extensions     - section from config file with X509V3 extensions to add
 -clrext         - delete extensions before signing and input certificate
 -nameopt arg    - various certificate name options
 -engine e       - use engine e, possibly a hardware device.
 -certopt arg    - various certificate text options
$