Certificate files often need a quick identity check before they are installed, renewed, attached to a ticket, or handed to another team. OpenSSL can read the file directly and print the subject, issuer, serial number, validity dates, fingerprint, and extensions without changing the certificate.
The openssl x509 command expects a PEM certificate by default and uses -inform DER when the file is binary DER. Printing options such as -subject, -issuer, -dates, -fingerprint, and -text read the signed certificate structure and write human-readable fields to the terminal.
Field inspection is not the same as trust validation. A certificate can parse correctly while still being expired, missing a required hostname, signed by an untrusted issuer, or different from the certificate served by a load balancer, proxy, or CDN. Treat the fingerprint and serial number as exact-file identifiers, and use chain or live endpoint checks when the deployment itself needs proof.
Steps to view certificate details using OpenSSL:
- Print the core certificate identity, validity, and fingerprint fields.
$ openssl x509 -in server.crt -noout -subject -issuer -serial -dates -fingerprint -sha256 subject=O=Example Operations, CN=www.example.com issuer=O=Example Operations, CN=www.example.com serial=1001 notBefore=Jun 6 00:00:00 2026 GMT notAfter=Sep 4 00:00:00 2026 GMT sha256 Fingerprint=6D:E6:2D:6C:98:86:BA:34:0C:3C:EC:4B:7A:3C:ED:D0:5C:3A:46:37:89:1E:44:BE:B7:DB:54:AE:90:CC:E6:6A
Replace server.crt with the certificate path. -noout prevents OpenSSL from reprinting the PEM certificate body, and -sha256 makes the fingerprint suitable for comparing the exact certificate bytes across systems.
- Decode the full certificate fields when extension and usage details matter.
$ openssl x509 -in server.crt -noout -text -certopt no_pubkey,no_sigdump Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: O=Example Operations, CN=www.example.com Validity Not Before: Jun 6 00:00:00 2026 GMT Not After : Sep 4 00:00:00 2026 GMT Subject: O=Example Operations, CN=www.example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:www.example.com, DNS:example.com X509v3 Subject Key Identifier: EF:89:20:36:4B:41:6A:7F:06:73:32:3C:02:97:20:4B:E9:35:F9:B3-certopt no_pubkey,no_sigdump keeps the text view focused by omitting the bulky public-key block and signature hex dump while leaving the certificate fields and extensions visible.
- Print only the Subject Alternative Name extension when checking hostname coverage.
$ openssl x509 -in server.crt -noout -ext subjectAltName X509v3 Subject Alternative Name: DNS:www.example.com, DNS:example.comModern TLS hostname checks use Subject Alternative Name entries. A familiar Common Name in the subject is not enough proof that a server name is covered.
- Read a binary DER certificate by specifying the input format.
$ openssl x509 -inform DER -in server.der -noout -subject -issuer -dates subject=O=Example Operations, CN=www.example.com issuer=O=Example Operations, CN=www.example.com notBefore=Jun 6 00:00:00 2026 GMT notAfter=Sep 4 00:00:00 2026 GMT
Use -inform DER for binary certificate files such as many .der or .cer files. If the same command fails without -inform DER, the file may still be valid certificate material in a different container format.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
