There are plenty of ways to inspect and work with SSL certificates, but I could not come across anything quick and easy that allows me to visually and programmatically inspect the contents of an SSL certificate’s SANs. Sure, I can bust out a nasty one-liner from the command line, but nothing beats the ease of a quick Python script.
My Bash one-liner would look something like (which lines up with what a few folks Stack Overflow came up with):
$ openssl x509 -in cert.pem -text | grep "DNS" | tr ',' '\n' | sed 's/DNS://'
and while that totally works, it lacks convenience. If you’re having to update your SANs regularly, it can be helpful to get a quick diff on the before/after change; ultimately, my laziness will always win out. So here’s Sanpai:
$ sanpai cert.pem www.btmiller.com subdomain.btmiller.com *.btmiller.com wewlad.btmiller.net jeff.lebowski.dude ... subdomain2.btmiller.com
The whole set of OpenSSL command line tools is great, but it’s just a little to unwiedly for my taste in a pinch. As mentioned earlier, when you’re updating your SANs regularly and want to validate the added/removed domains, add the second file to compare against with
--diff. Example, confirm that
jeff.lebowski.dude from the previous output is removed:
$ sanpai cert-old.pem --diff cert-new.pem ! www.btmiller.com ! subdomain.btmiller.com ! *.btmiller.com ! wewlad.btmiller.net - jeff.lebowski.dude ... ! subdomain2.btmiller.com
Behind-the-scenes, Sanpai uses the awesome Python Cryptography package.comments powered by Disqus