How to view certificate details using OpenSSL

Certificate files often need a quick identity check before they are installed, renewed, attached to a ticket, or handed to another team. OpenSSL can read the file directly and print the subject, issuer, serial number, validity dates, fingerprint, and extensions without changing the certificate.

The openssl x509 command expects a PEM certificate by default and uses -inform DER when the file is binary DER. Printing options such as -subject, -issuer, -dates, -fingerprint, and -text read the signed certificate structure and write human-readable fields to the terminal.

Field inspection is not the same as trust validation. A certificate can parse correctly while still being expired, missing a required hostname, signed by an untrusted issuer, or different from the certificate served by a load balancer, proxy, or CDN. Treat the fingerprint and serial number as exact-file identifiers, and use chain or live endpoint checks when the deployment itself needs proof.

Related: How to check certificate expiry using OpenSSL
Related: How to verify a certificate chain using OpenSSL
Tool: SSL Certificate Decoder

Steps to view certificate details using OpenSSL:

  1. Print the core certificate identity, validity, and fingerprint fields. 
    $ openssl x509 -in server.crt -noout -subject -issuer -serial -dates -fingerprint -sha256
subject=O=Example Operations, CN=www.example.com
issuer=O=Example Operations, CN=www.example.com
serial=1001
notBefore=Jun  6 00:00:00 2026 GMT
notAfter=Sep  4 00:00:00 2026 GMT
sha256 Fingerprint=6D:E6:2D:6C:98:86:BA:34:0C:3C:EC:4B:7A:3C:ED:D0:5C:3A:46:37:89:1E:44:BE:B7:DB:54:AE:90:CC:E6:6A

    Replace server.crt with the certificate path. -noout prevents OpenSSL from reprinting the PEM certificate body, and -sha256 makes the fingerprint suitable for comparing the exact certificate bytes across systems.

  2. Decode the full certificate fields when extension and usage details matter. 
    $ openssl x509 -in server.crt -noout -text -certopt no_pubkey,no_sigdump
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Example Operations, CN=www.example.com
        Validity
            Not Before: Jun  6 00:00:00 2026 GMT
            Not After : Sep  4 00:00:00 2026 GMT
        Subject: O=Example Operations, CN=www.example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:www.example.com, DNS:example.com
            X509v3 Subject Key Identifier: 
                EF:89:20:36:4B:41:6A:7F:06:73:32:3C:02:97:20:4B:E9:35:F9:B3

    -certopt no_pubkey,no_sigdump keeps the text view focused by omitting the bulky public-key block and signature hex dump while leaving the certificate fields and extensions visible.

  3. Print only the Subject Alternative Name extension when checking hostname coverage. 
    $ openssl x509 -in server.crt -noout -ext subjectAltName
X509v3 Subject Alternative Name: 
    DNS:www.example.com, DNS:example.com

    Modern TLS hostname checks use Subject Alternative Name entries. A familiar Common Name in the subject is not enough proof that a server name is covered.

  4. Read a binary DER certificate by specifying the input format. 
    $ openssl x509 -inform DER -in server.der -noout -subject -issuer -dates
subject=O=Example Operations, CN=www.example.com
issuer=O=Example Operations, CN=www.example.com
notBefore=Jun  6 00:00:00 2026 GMT
notAfter=Sep  4 00:00:00 2026 GMT

    Use -inform DER for binary certificate files such as many .der or .cer files. If the same command fails without -inform DER, the file may still be valid certificate material in a different container format.