A (non-wildcard) SSL certificate can be issued to match multiple domains and subdomains, like mysub1.example1.com, www.example2.com, and many others, all in one certificate with the same private key.
Is it possible to get the list of domains for which a certificate is valid? How? Is that possible from a browser, or should I use the OpenSSL CLI?
Please ask for more information if you need it. Honestly I don't know how to put the question in clear words and I'm willing to improve it.
The valid domain names for a certificate are stipulated in two places.
First is the Common Name (CN) which is part of the Subject field. There is only space for one name here, which means it can be a fixed name, such as www.example.com or a wildcard such as *.example.com.
The second is the Subject Alternate Name (SAN) extension, which lists additional names that the certificate is valid for. There are many options for the SAN field, but the one you'll be interested in is DNS.
If you look at the certificate GUI of most browsers, you should see both the Subject and the SAN fields.
To view them using OpenSSL simply run:
$ openssl x509 -noout -text -nameopt multiline -in <cert file>
Note that the -nameopt multiline is optional but makes it easier to read. The following example is from ssl.com as it contains a good example of the SAN:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
23:dd:f6:40:e2:ad:3f:24:2f:31:9c:c6:48:db:64:92
Signature Algorithm: sha256WithRSAEncryption
Issuer:
countryName = US
organizationName = SSL.com
organizationalUnitName = Controlled by COMODO exclusively for SSL.com
organizationalUnitName = www.ssl.com
commonName = SSL.com Premium EV CA
Validity
Not Before: Mar 11 00:00:00 2016 GMT
Not After : Nov 18 23:59:59 2016 GMT
Subject:
serialNumber = NV20081614243
jurisdictionCountryName = US
jurisdictionStateOrProvinceName = Texas
jurisdictionLocalityName = Houston
businessCategory = Private Organization
countryName = US
postalCode = 77025
stateOrProvinceName = Texas
localityName = Houston
streetAddress = Suite 286C
streetAddress = 2617 W Holcombe Blvd
organizationName = SSL Corp
organizationalUnitName = Security
organizationalUnitName = COMODO EV Multi-Domain SSL
commonName = www.ssl.com
Subject Public Key Info:
...
X509v3 Subject Alternative Name:
DNS:www.ssl.com, DNS:answers.ssl.com, DNS:faq.ssl.com, DNS:info.ssl.com, DNS:links.ssl.com, DNS:reseller.ssl.com, DNS:secure.ssl.com, DNS:ssl.com, DNS:support.ssl.com, DNS:sws.ssl.com, DNS:tools.ssl.com
...
Only the commonName Subject field is used as the name of the domain; all the other entries within Subject, such as the organizationalUnitName are irrelevant, even though they look like domain names.
To retrieve all the certs and save them, try:
$ openssl s_client -showcerts -connect www.ssl.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | csplit - -z -f cert- '/-END CERTIFICATE-/1' '{*}'
openssl s_client connect?
Commented
May 30, 2016 at 14:54
openssl s_client -show-certs -connect www.ssl.com:443 will show the Subject and Issuer of all remote certificates in a chain, it won't show any extensions, therefore you won't be able to see the SAN. Similarly, gnutls-cli -print-certs www.ssl.com </dev/null displays the Subject and Issuer, but no SANs.
Commented
May 30, 2016 at 19:34
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > out.pem. out.pem will probably contain more than one certificate. You'll need to split them into individual files if you want to run them through the openssl x509 ... command in my answer otherwise only the first certificate will be displayed.
Commented
May 31, 2016 at 6:41