Cert Decode
Parse and display human-readable details from X.509 PEM certificates using openssl.
Input
- - PEM certificate content (text starting with
-----BEGIN CERTIFICATE-----) pasted directly, OR - Path to a
.pem or .crt file, OR - Hostname to fetch the live certificate from (e.g.,
example.com)
Output
- - Subject (CN, O, OU, C)
- Issuer (CA name, organization)
- Validity: Not Before / Not After (expiry date)
- Serial number
- Subject Alternative Names (SANs)
- Public key algorithm and size
- Signature algorithm
- Whether the cert is expired or expiring soon
Instructions
- 1. Determine input type: pasted PEM text, file path, or hostname.
- 2. From pasted PEM text:
Write the PEM content to a temp file, then:
echo "PEM_CONTENT" | openssl x509 -text -noout
Or use process substitution if available.
- 3. From a file path:
�CODEBLOCK1
- 4. From a live hostname (port 443):
�CODEBLOCK2
- 5. Extract and present key fields from the
openssl x509 -text output in a clean, readable format:
-
Subject: parse
Subject: line
-
Issuer: parse
Issuer: line
-
Valid From: parse
Not Before:
-
Valid Until: parse
Not After :
-
Serial: parse
Serial Number:
-
SANs: parse
X509v3 Subject Alternative Name: block for all
DNS: and
IP Address: entries
-
Key: parse
Public Key Algorithm: and key size (e.g.,
RSA Public-Key: (2048 bit))
-
Signature Algorithm: parse �INLINECODE16
- 6. Calculate whether the certificate is:
- Already expired (Not After is in the past)
- Expiring within 30 days (warn the user)
- Valid (show days remaining)
- 7. If
openssl is not found, tell the user:
> "This skill requires
openssl. Install with:
brew install openssl (macOS) or
sudo apt install openssl (Linux)."
Examples
From file:
Command: �INLINECODE21
From hostname:
Command: �INLINECODE22
Sample parsed output:
�CODEBLOCK3
Error Handling
- -
openssl not found → tell user to install it - Input is not valid PEM → openssl will error with
unable to load certificate; tell user the input does not appear to be a valid PEM certificate - Hostname unreachable →
openssl s_client will fail; report connection error and suggest checking the hostname or network - DER format instead of PEM → tell user to convert first with: �INLINECODE26
- Certificate chain (multiple certs) → only the first cert is parsed; inform user if they need a specific cert from the chain
证书解码
使用 openssl 解析并显示 X.509 PEM 证书中人类可读的详细信息。
输入
- - 直接粘贴的 PEM 证书内容(以 -----BEGIN CERTIFICATE----- 开头的文本),或
- .pem 或 .crt 文件的路径,或
- 用于获取实时证书的主机名(例如 example.com)
输出
- - 主题(CN、O、OU、C)
- 签发者(CA 名称、组织)
- 有效期:生效日期 / 失效日期(到期时间)
- 序列号
- 主题备用名称(SAN)
- 公钥算法和大小
- 签名算法
- 证书是否已过期或即将过期
操作说明
- 1. 确定输入类型:粘贴的 PEM 文本、文件路径或主机名。
- 2. 从粘贴的 PEM 文本:
将 PEM 内容写入临时文件,然后:
echo PEM_CONTENT | openssl x509 -text -noout
或使用进程替换(如果可用)。
- 3. 从文件路径:
openssl x509 -text -noout -in /path/to/cert.pem
- 4. 从实时主机名(端口 443):
echo | openssl s_client -connect HOSTNAME:443 -servername HOSTNAME 2>/dev/null | openssl x509 -text -noout
- 5. 从 openssl x509 -text 输出中提取并以清晰可读的格式呈现关键字段:
-
主题: 解析 Subject: 行
-
签发者: 解析 Issuer: 行
-
生效日期: 解析 Not Before:
-
失效日期: 解析 Not After :
-
序列号: 解析 Serial Number:
-
SAN: 解析 X509v3 Subject Alternative Name: 块中的所有 DNS: 和 IP Address: 条目
-
密钥: 解析 Public Key Algorithm: 和密钥大小(例如 RSA Public-Key: (2048 bit))
-
签名算法: 解析 Signature Algorithm:
- 6. 计算证书是否:
- 已过期(失效日期已过)
- 30 天内即将过期(警告用户)
- 有效(显示剩余天数)
- 7. 如果未找到 openssl,告知用户:
> 此技能需要 openssl。安装方式:brew install openssl(macOS)或 sudo apt install openssl(Linux)。
示例
从文件:
命令: openssl x509 -text -noout -in /etc/ssl/cert.pem
从主机名:
命令: echo | openssl s_client -connect github.com:443 -servername github.com 2>/dev/null | openssl x509 -text -noout
示例解析输出:
主题: CN=github.com, O=GitHub, Inc., C=US
签发者: CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1, O=DigiCert Inc, C=US
生效日期:2024-03-07
失效日期:2025-03-06 ⚠ 14 天后过期
序列号: 0a:bc:12:...
SAN: github.com, www.github.com
密钥: EC 256 位(prime256v1)
签名: ecdsa-with-SHA384
错误处理
- - 未找到 openssl → 告知用户安装
- 输入不是有效的 PEM → openssl 会报错 unable to load certificate;告知用户输入似乎不是有效的 PEM 证书
- 主机名不可达 → openssl s_client 会失败;报告连接错误并建议检查主机名或网络
- DER 格式而非 PEM → 告知用户先使用以下命令转换:openssl x509 -inform DER -in cert.der -out cert.pem
- 证书链(多个证书)→ 仅解析第一个证书;如果用户需要链中的特定证书,则告知用户
