Know Extended Key Usage

Discussion:

Akash Jain

2014-10-08 05:40:00 UTC

Permalink

HI,

How can I know the "Extended Key Usage" parameters of a remote SSL enabled
site using OpenSSL ?

Thanks,
Akash

Lewis Rosenthal

2014-10-08 06:40:13 UTC

Permalink

Hi, Akash...

Post by Akash Jain
HI,
How can I know the "Extended Key Usage" parameters of a remote SSL
enabled site using OpenSSL ?

Does this help:

https://www.madboa.com/geek/openssl/#cert-retrieve

You could modify the one script there to something like:

#!/bin/sh
#
for CERT in \
www.somesite.tld:443
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -text
done

and filter the output of the -text param.

It's interesting that I can't seem to hit on a specific option to dump
just the extended key usage data.

Actually, as I was drafting this, I thought that perl might be a more
elegant way to go. Perhaps have a look at:

http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.47/examples/x509_cert_details.pl

Anyone else have a suggestion?

Cheers
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies see www.2rosenthals.com
-------------------------------------------------------------

--
This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Akash Jain

2014-10-08 07:28:32 UTC

Permalink

Thanks Lewis !

I also used -

openssl s_client -showcerts -connect google.com:443 < /dev/null | openssl
x509 -outform PEM | openssl x509 -noout -text | grep -A1 "X509v3 Extended
Key Usage"

On Tue, Oct 7, 2014 at 11:40 PM, Lewis Rosenthal <

Post by Lewis Rosenthal
Hi, Akash...

Post by Akash Jain
HI,
How can I know the "Extended Key Usage" parameters of a remote SSL
enabled site using OpenSSL ?

https://www.madboa.com/geek/openssl/#cert-retrieve
#!/bin/sh
#
for CERT in \
www.somesite.tld:443
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -text
done
and filter the output of the -text param.
It's interesting that I can't seem to hit on a specific option to dump
just the extended key usage data.
Actually, as I was drafting this, I thought that perl might be a more
http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.47/
examples/x509_cert_details.pl
Anyone else have a suggestion?
Cheers
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies see www.2rosenthals.com
-------------------------------------------------------------
--
This email was Anti Virus checked by Astaro Security Gateway.
http://www.astaro.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org

Jakob Bohm

2014-10-08 12:43:39 UTC

Permalink

I think you can safely omit the middle openssl command.

Post by Akash Jain
Thanks Lewis !
I also used -
openssl s_client -showcerts -connect google.com:443
<http://google.com:443> < /dev/null | openssl x509 -outform PEM |
openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"
On Tue, Oct 7, 2014 at 11:40 PM, Lewis Rosenthal
Hi, Akash...
HI,
How can I know the "Extended Key Usage" parameters of a remote
SSL enabled site using OpenSSL ?
https://www.madboa.com/geek/openssl/#cert-retrieve
#!/bin/sh
#
for CERT in \
www.somesite.tld:443
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -text
done
and filter the output of the -text param.
It's interesting that I can't seem to hit on a specific option to
dump just the extended key usage data.
Actually, as I was drafting this, I thought that perl might be a
http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.47/examples/x509_cert_details.pl
Anyone else have a suggestion?
Cheers
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
<http://www.2rosenthals.com>
visit my IT blog www.2rosenthals.net/wordpress
<http://www.2rosenthals.net/wordpress>
IRS Circular 230 Disclosure applies see www.2rosenthals.com
<http://www.2rosenthals.com>
-------------------------------------------------------------
--
This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Lewis Rosenthal

2014-10-08 14:56:52 UTC

Permalink

Hi, all...

Actually, Jakob, I think it's the second one (the first one after the
pipe) which can come out, i.e.:

openssl s_client -showcerts -connect google.com:443 < \
/dev/null | openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"

which seems to produce a little less noise, but it's still not down to a
single line of output. Still, it's more elegant than what I cited, I think.

Cheers

Post by Jakob Bohm
I think you can safely omit the middle openssl command.

Post by Akash Jain
Thanks Lewis !
I also used -
openssl s_client -showcerts -connect google.com:443
<http://google.com:443> < /dev/null | openssl x509 -outform PEM |
openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"
On Tue, Oct 7, 2014 at 11:40 PM, Lewis Rosenthal
Hi, Akash...
HI,
How can I know the "Extended Key Usage" parameters of a remote
SSL enabled site using OpenSSL ?
https://www.madboa.com/geek/openssl/#cert-retrieve
#!/bin/sh
#
for CERT in \
www.somesite.tld:443
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -text
done
and filter the output of the -text param.
It's interesting that I can't seem to hit on a specific option to
dump just the extended key usage data.
Actually, as I was drafting this, I thought that perl might be a
http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.47/examples/x509_cert_details.pl
Anyone else have a suggestion?
Cheers
-- Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
<http://www.2rosenthals.com>
visit my IT blog www.2rosenthals.net/wordpress
<http://www.2rosenthals.net/wordpress>
IRS Circular 230 Disclosure applies see www.2rosenthals.com
<http://www.2rosenthals.com>
-------------------------------------------------------------
-- This email was Anti Virus checked by Astaro Security Gateway.
http://www.astaro.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org

Enjoy
Jakob

--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies see www.2rosenthals.com
-------------------------------------------------------------

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Jakob Bohm

2014-10-08 15:04:52 UTC

Permalink

Yep, middle of 3 openssl commands in the pipeline...

Post by Lewis Rosenthal
Hi, all...
Actually, Jakob, I think it's the second one (the first one after the
openssl s_client -showcerts -connect google.com:443 < \
/dev/null | openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"
which seems to produce a little less noise, but it's still not down to
a single line of output. Still, it's more elegant than what I cited, I
think.
Cheers

Post by Jakob Bohm
I think you can safely omit the middle openssl command.

Post by Akash Jain
Thanks Lewis !
I also used -
openssl s_client -showcerts -connect google.com:443
<http://google.com:443> < /dev/null | openssl x509 -outform PEM |
openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"
On Tue, Oct 7, 2014 at 11:40 PM, Lewis Rosenthal
Hi, Akash...
HI,
How can I know the "Extended Key Usage" parameters of a remote
SSL enabled site using OpenSSL ?
https://www.madboa.com/geek/openssl/#cert-retrieve
#!/bin/sh
#
for CERT in \
www.somesite.tld:443
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -text
done
and filter the output of the -text param.
It's interesting that I can't seem to hit on a specific option to
dump just the extended key usage data.
Actually, as I was drafting this, I thought that perl might be a
http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.47/examples/x509_cert_details.pl
Anyone else have a suggestion?
Cheers
-- Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
<http://www.2rosenthals.com>
visit my IT blog www.2rosenthals.net/wordpress
<http://www.2rosenthals.net/wordpress>
IRS Circular 230 Disclosure applies see www.2rosenthals.com
<http://www.2rosenthals.com>
-------------------------------------------------------------
-- This email was Anti Virus checked by Astaro Security Gateway.
http://www.astaro.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org

Enjoy
Jakob

Dave Thompson

2014-10-13 21:57:57 UTC

Permalink

Sent: Wednesday, October 08, 2014 10:57
Actually, Jakob, I think it's the second one (the first one after the

Yes.

openssl s_client -showcerts -connect google.com:443 < \
/dev/null | openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"
which seems to produce a little less noise, but it's still not down to a
single line of output. Still, it's more elegant than what I cited, I think.

The remaining noise is a few lines s_client writes to stderr.
Add 2>/dev/null, or 2>&1 and let the next stage discard it.
(I prefer the latter because it's the same Unix/Windows;
one less on the list of adjustments I must remember.)

Also the -showcerts is useless and misleading. x509 -noout -text
only decodes and displays the *first* cert in the s_client output,
so including and then ignoring the CA certs is just wasted.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Continue reading on narkive:

Search results for 'Know Extended Key Usage' (Questions and Answers)

replies

In Evolution, how does the genetic material of the body know that a change is needed?

started 2010-01-03 11:06:15 UTC

biology

replies

What is India best known for?

started 2008-01-05 20:54:53 UTC

geography

replies

Article in my local paper.. what are your thoughts? ?