Tectia

ssh-certview-g3

ssh-certview-g3 — certificate viewer

Synopsis

ssh-certview-g3
[options...] file
[options...] file ...

Description

The ssh-certview-g3 program is a simple command-line application, capable of decoding and showing X.509 certificates, CRLs, and certification requests. The command output is written to the standard output.

Options

The following options are available:

-h

Displays a short help.

-verbose

Gives more diagnostic output.

-quiet

Gives no diagnostic output.

-auto

The next input file type is auto-detected (default).

-cert

The next input file is a certificate.

-certpair

The next input file is a cross-certificate pair.

-crmf

The next input file is a CRMF certification request.

-req

The next input file is a PKCS #10 certification request.

-crl

The next input file is a CRL.

-prv

The next input file is a private key.

-pkcs12

The next input file is a PKCS#12 package.

-ssh2

The next input file is an SSH2 public key.

-spkac

The next input file is a Netscape-generated SPKAC request.

-noverify

Does not check the validity of the signature on the input certificate.

-autoenc

Determines PEM/DER automatically (default).

-pem

Assumes that the input file is in PEM (ASCII base-64) format. This option allows both actual PEM (with headers and footers), and plain base-64 (without headers and footers). An example of PEM header and footer is shown below:

-----BEGIN CERTIFICATE-----
encoded data
-----END CERTIFICATE-----
-der

Assumes that the input file is in DER format.

-hexl

Assumes that the input file is in Hexl format. (Hexl is a common Unix tool for outputting binary files in a certain hexadecimal representation.)

-skip number

Skips number bytes from the beginning of input before trying to decode. This is useful if the file contains some garbage before the actual contents.

-ldap

Prints names in LDAP order.

-utf8

Prints names in UTF-8.

-latin1

Prints names in ISO-8859-1.

-base10

Outputs big numbers in base-10 (default).

-base16

Outputs big numbers in base-16.

-base64

Outputs big numbers in base-64.

-width number

Sets output width (number characters).

Example

For example, using a certificate downloaded from pki.ssh.com, when the following command is given:

$ ssh-certview-g3 -width 70 ca-certificate.cer

The following output is produced:

Certificate =
  SubjectName = <C=FI, O=SSH Communications Security Corp, CN=Secure
    Shell Test CA>
  IssuerName = <C=FI, O=SSH Communications Security Corp, CN=Secure
    Shell Test CA>
  SerialNumber= 34679408
  SignatureAlgorithm = rsa-pkcs1-sha1
  Certificate seems to be self-signed.
      * Signature verification success.
  Validity =
    NotBefore = 2003 Dec  3rd, 08:04:27 GMT
    NotAfter  = 2005 Dec  2nd, 08:04:27 GMT
  PublicKeyInfo =
    PublicKey =
      Algorithm name (SSH) : if-modn{sign{rsa-pkcs1-md5}}
      Modulus n  (1024 bits) :
        9635680922805930263476549641957998756341022541202937865240553
        9374740946079473767424224071470837728840839320521621518323377
        3593102350415987252300817926769968881159896955490274368606664
        0759644131690750532665266218696466060377799358036735475902257
        6086098562919363963470926690162744258451983124575595926849551
        903
      Exponent e (  17 bits) :
        65537
  Extensions =
    Available = authority key identifier, subject key identifier, key
      usage(critical), basic constraints(critical), authority
      information access
    KeyUsage = DigitalSignature KeyEncipherment KeyCertSign CRLSign
        [CRITICAL]
    BasicConstraints =
      PathLength = 0
      cA         = TRUE
        [CRITICAL]
    AuthorityKeyID =
      KeyID =
        eb:f0:4d:b5:b2:4c:be:47:35:53:a8:37:d2:8d:c8:b2:f1:19:71:79
    SubjectKeyID =
      KeyId =
        eb:f0:4d:b5:b2:4c:be:47:35:53:a8:37:d2:8d:c8:b2:f1:19:71:79
    AuthorityInfoAccess =
      AccessMethod = 1.3.6.1.5.5.7.48.1
      AccessLocation =
        Following names detected =
          URI (uniform resource indicator)
        Viewing specific name types =
          URI = http://pki.ssh.com:8090/ocsp-1/
  Fingerprints =
    MD5 = c7:af:e5:3d:f6:ea:ce:da:07:93:d0:06:8d:c0:0a:f8
    SHA-1 =
    27:d7:19:47:7c:08:3e:1a:27:4b:68:8e:18:83:e8:f9:23:e8:29:85