The valid domain names for a certificate are stipulated in two places.
First is the Common Name (CN) which is part of the Subject field. There is only space for one name here, which means it can be a fixed name, such as www.example.com
or a wildcard such as *.example.com
.
The second is the Subject Alternate Name (SAN) extension, which lists additional names that the certificate is valid for. There are many options for the SAN field, but the one you'll be interested in is DNS.
If you look at the certificate GUI of most browsers, you should see both the Subject and the SAN fields.
To view them using OpenSSL simply run:
$ openssl x509 -noout -text -nameopt multiline -in <cert file>
Note that the -nameopt multiline
is optional but makes it easier to read. The following example is from ssl.com as it contains a good example of the SAN:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
23:dd:f6:40:e2:ad:3f:24:2f:31:9c:c6:48:db:64:92
Signature Algorithm: sha256WithRSAEncryption
Issuer:
countryName = US
organizationName = SSL.com
organizationalUnitName = Controlled by COMODO exclusively for SSL.com
organizationalUnitName = www.ssl.com
commonName = SSL.com Premium EV CA
Validity
Not Before: Mar 11 00:00:00 2016 GMT
Not After : Nov 18 23:59:59 2016 GMT
Subject:
serialNumber = NV20081614243
jurisdictionCountryName = US
jurisdictionStateOrProvinceName = Texas
jurisdictionLocalityName = Houston
businessCategory = Private Organization
countryName = US
postalCode = 77025
stateOrProvinceName = Texas
localityName = Houston
streetAddress = Suite 286C
streetAddress = 2617 W Holcombe Blvd
organizationName = SSL Corp
organizationalUnitName = Security
organizationalUnitName = COMODO EV Multi-Domain SSL
commonName = www.ssl.com
Subject Public Key Info:
...
X509v3 Subject Alternative Name:
DNS:www.ssl.com, DNS:answers.ssl.com, DNS:faq.ssl.com, DNS:info.ssl.com, DNS:links.ssl.com, DNS:reseller.ssl.com, DNS:secure.ssl.com, DNS:ssl.com, DNS:support.ssl.com, DNS:sws.ssl.com, DNS:tools.ssl.com
...
Only the commonName
Subject
field is used as the name of the domain; all the other entries within Subject
, such as the organizationalUnitName
are irrelevant, even though they look like domain names.
To retrieve all the certs and save them, try:
$ openssl s_client -showcerts -connect www.ssl.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | csplit - -z -f cert- '/-END CERTIFICATE-/1' '{*}'