SSH Tectia


ssh-certview-g3 — certificate viewer


[options...] file
[options...] file ...


The ssh-certview-g3 program is a simple command-line application, capable of decoding and showing X.509 certificates, CRLs, and certification requests. The command output is written to the standard output.


The following options are available:


Displays a short help.


Gives more diagnostic output.


Gives no diagnostic output.


The next input file type is auto-detected (default).


The next input file is a certificate.


The next input file is a cross-certificate pair.


The next input file is a CRMF certification request.


The next input file is a PKCS #10 certification request.


The next input file is a CRL.


The next input file is a private key.


The next input file is a PKCS#12 package.


The next input file is an SSH2 public key.


The next input file is a Netscape-generated SPKAC request.


Does not check the validity of the signature on the input certificate.


Determines PEM/DER automatically (default).


Assumes that the input file is in PEM (ASCII base-64) format. This option allows both actual PEM (with headers and footers), and plain base-64 (without headers and footers). An example of PEM header and footer is shown below:

encoded data

Assumes that the input file is in DER format.


Assumes that the input file is in Hexl format. (Hexl is a common Unix tool for outputting binary files in a certain hexadecimal representation.)

-skip number

Skips number bytes from the beginning of input before trying to decode. This is useful if the file contains some garbage before the actual contents.


Prints names in LDAP order.


Prints names in UTF-8.


Prints names in ISO-8859-1.


Outputs big numbers in base-10 (default).


Outputs big numbers in base-16.


Outputs big numbers in base-64.

-width number

Sets output width (number characters).


For example, using a certificate downloaded from, when the following command is given:

$ ssh-certview-g3 -width 70 ca-certificate.cer

The following output is produced:

Certificate =
  SubjectName = <C=FI, O=SSH Communications Security Corp, CN=Secure
    Shell Test CA>
  IssuerName = <C=FI, O=SSH Communications Security Corp, CN=Secure
    Shell Test CA>
  SerialNumber= 34679408
  SignatureAlgorithm = rsa-pkcs1-sha1
  Certificate seems to be self-signed.
      * Signature verification success.
  Validity =
    NotBefore = 2003 Dec  3rd, 08:04:27 GMT
    NotAfter  = 2005 Dec  2nd, 08:04:27 GMT
  PublicKeyInfo =
    PublicKey =
      Algorithm name (SSH) : if-modn{sign{rsa-pkcs1-md5}}
      Modulus n  (1024 bits) :
      Exponent e (  17 bits) :
  Extensions =
    Available = authority key identifier, subject key identifier, key
      usage(critical), basic constraints(critical), authority
      information access
    KeyUsage = DigitalSignature KeyEncipherment KeyCertSign CRLSign
    BasicConstraints =
      PathLength = 0
      cA         = TRUE
    AuthorityKeyID =
      KeyID =
    SubjectKeyID =
      KeyId =
    AuthorityInfoAccess =
      AccessMethod =
      AccessLocation =
        Following names detected =
          URI (uniform resource indicator)
        Viewing specific name types =
          URI =
  Fingerprints =
    MD5 = c7:af:e5:3d:f6:ea:ce:da:07:93:d0:06:8d:c0:0a:f8
    SHA-1 =