How to Programmatically Check Subject Alternative Names in SSL/TLS Certificates

In SSL/TLS certificate validation, Subject Alternative Names (SAN) are a critical component that allows a single certificate to secure multiple domain names. For system administrators and developers, programmatically checking SAN entries in certificates is a common operational task. This article details how to achieve this using OpenSSL tools.

Extracting SAN from Remote Servers

To extract Subject Alternative Names from an SSL/TLS certificate on a remote server, use OpenSSL's s_client command to establish a connection, then pipe the output to the x509 command for parsing. The basic command structure is as follows:

openssl s_client -connect website.example:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:

This command executes in three steps. First, openssl s_client -connect website.example:443 establishes an SSL/TLS connection to the specified server and port. Input redirection </dev/null and error redirection 2>/dev/null ensure the command does not wait for user input and silently handles error messages.

Next, the connection output is piped to openssl x509 -noout -text. The -noout option prevents output of the raw encoded certificate data, while -text converts certificate information into a human-readable text format. This step outputs all certificate details, including issuer, validity period, public key, and extension fields.

Finally, grep DNS: filters the output to retain only lines containing the DNS: prefix. In the text representation of the certificate, SAN entries typically start with DNS: followed by the protected domain names. For example, output might show DNS:www.example.com, DNS:example.com, indicating the certificate secures these two domains.

Handling Command Execution Issues

In practice, the openssl s_client command may keep the connection open, waiting for further input, which can interfere with script automation. To resolve this, prepend echo to the command to immediately close the connection:

echo | openssl s_client -connect website.example:443 | openssl x509 -noout -text | grep DNS:

This approach sends an empty line to standard input, prompting s_client to complete the handshake quickly and exit, thus avoiding script hangs. This is particularly useful for batch-checking multiple certificates or integrating into monitoring systems.

Extracting SAN from Local Certificate Files

If the certificate already exists as a file, you can parse it directly using the openssl x509 command without establishing a network connection. The command format is:

openssl x509 -noout -text -in MyCertificate.crt | grep DNS:

Here, -in MyCertificate.crt specifies the input certificate file path. Similar to the remote method, -noout -text extracts text information, and then grep DNS: filters out SAN entries. This method is suitable for offline analysis or processing certificate files obtained from other sources.

Summary of Key Concepts

Programmatically checking SAN in SSL/TLS certificates primarily relies on the OpenSSL toolchain. Key points include: using s_client for remote connections, using x509 to parse certificate structures, and leveraging text processing tools like grep to extract specific information. In practical applications, attention must be paid to command exit behavior to ensure script reliability. Additionally, parsing SAN from files avoids network dependencies, offering more flexible operation modes.

By mastering these methods, developers can effectively verify certificate configurations, ensuring security compliance in multi-domain environments. These techniques are applicable not only to daily operations but can also be integrated into automated deployment and monitoring systems to enhance overall security protection.