There are plenty of ways to inspect and work with SSL certificates, but I could not come across anything quick and easy that allows me to visually and programmatically inspect the contents of an SSL certificate’s SANs. Sure, I can bust out a nasty one-liner from the command line, but nothing beats the ease of a quick Python script.

My Bash one-liner would look something like (which lines up with what a few folks Stack Overflow came up with):

$ openssl x509 -in cert.pem -text | grep "DNS" | tr ',' '

' | sed 's/DNS://'

and while that totally works, it lacks convenience. If you’re having to update your SANs regularly, it can be helpful to get a quick diff on the before/after change; ultimately, my laziness will always win out. So here’s Sanpai:

$ sanpai cert.pem www.btmiller.com subdomain.btmiller.com *.btmiller.com wewlad.btmiller.net jeff.lebowski.dude ... subdomain2.btmiller.com

The whole set of OpenSSL command line tools is great, but it’s just a little to unwiedly for my taste in a pinch. As mentioned earlier, when you’re updating your SANs regularly and want to validate the added/removed domains, add the second file to compare against with --diff . Example, confirm that jeff.lebowski.dude from the previous output is removed:

$ sanpai cert-old.pem --diff cert-new.pem ! www.btmiller.com ! subdomain.btmiller.com ! *.btmiller.com ! wewlad.btmiller.net - jeff.lebowski.dude ... ! subdomain2.btmiller.com

Behind-the-scenes, Sanpai uses the awesome Python Cryptography package.

Please enable JavaScript to view the comments powered by Disqus.

Disqus