How to display the Subject Alternative Name of a certificate?

Learn how to display the subject alternative name of a certificate? with practical examples, diagrams, and best practices. Covers ssl, openssl, certificate development techniques with visual explan...
Tags:
Categories:

How to Display the Subject Alternative Name (SAN) of a Certificate

Illustration of a digital certificate with various fields highlighted, focusing on the SAN extension.

Learn various methods to extract and view the Subject Alternative Name (SAN) from SSL/TLS certificates using command-line tools and programming languages.

The Subject Alternative Name (SAN) extension in an X.509 certificate allows a certificate to secure multiple hostnames—such as domain names, IP addresses, email addresses, or even URIs—under a single certificate. This is a crucial feature for modern web infrastructure, enabling a single certificate to cover example.com, www.example.com, mail.example.com, and even example.net.

Unlike the Common Name (CN) field, which historically served a similar purpose but is now deprecated for multi-domain use, the SAN field is the authoritative and recommended way to specify all identities a certificate is valid for. Understanding how to view this information is essential for troubleshooting SSL/TLS issues, verifying certificate validity, and ensuring proper security configurations.

Understanding the Subject Alternative Name (SAN)

Before diving into how to display the SAN, it's important to grasp what it represents. The SAN is an extension within the X.509 certificate standard. It provides a list of identities that a certificate is valid for. These identities can be of several types:

  • DNS Name: The most common type, specifying domain names (e.g., example.com, www.example.com).
  • IP Address: For certificates securing specific IP addresses (e.g., 192.168.1.1).
  • Email Address: For S/MIME certificates (e.g., user@example.com).
  • URI: Uniform Resource Identifiers.
  • Directory Name: X.500 Distinguished Names.

Browsers and other TLS clients primarily rely on the SAN field to match the certificate to the hostname being accessed. If the hostname does not match any entry in the SAN (or the deprecated CN), a certificate validation error will occur.

flowchart TD
    A[Certificate Request] --> B{Certificate Authority (CA)}
    B --> C[Issue Certificate]
    C --> D{Certificate Contents}
    D --> D1[Subject (CN)]
    D --> D2["Extensions (SAN)"]
    D2 --> D2a["DNS Name: example.com"]
    D2 --> D2b["DNS Name: www.example.com"]
    D2 --> D2c["IP Address: 192.168.1.1"]
    D1 -- deprecated for multi-domain --> D2
    D2 -- primary validation --> E[Client (Browser/App)]
    E --> F{Hostname Match SAN?}
    F -- Yes --> G[Secure Connection]
    F -- No --> H[Certificate Error]

Certificate Issuance and Validation Flow with SAN

Displaying SAN using OpenSSL

OpenSSL is the most versatile command-line tool for working with SSL/TLS certificates. You can use it to extract the SAN from a certificate file or directly from a live server connection.

From a File

To view the SAN from a certificate file (e.g., certificate.pem), use the following command:

openssl x509 -in certificate.pem -text -noout | grep -A1 "Subject Alternative Name"

This command first reads the certificate, outputs its text representation, and then filters for the 'Subject Alternative Name' section. The -A1 flag ensures that the line containing the SAN values is also displayed.

From a Live Server

To retrieve the SAN from a certificate presented by a live server (e.g., google.com on port 443):

echo | openssl s_client -servername google.com -connect google.com:443 2>/dev/null | openssl x509 -text -noout | grep -A1 "Subject Alternative Name"
  • echo | openssl s_client ...: Establishes an SSL/TLS connection to the server.
  • -servername google.com: Specifies the Server Name Indication (SNI), crucial for servers hosting multiple certificates.
  • -connect google.com:443: Connects to the specified host and port.
  • 2>/dev/null: Suppresses error messages from s_client.
  • openssl x509 -text -noout: Parses the certificate received from the server and outputs its text form.
  • grep -A1 "Subject Alternative Name": Filters for the SAN section.

Displaying SAN in Programming Languages

Many programming languages provide libraries to parse X.509 certificates and extract their extensions, including the SAN. Here are examples for Python and Java.

Python

Using the cryptography library in Python:

from cryptography import x509
from cryptography.hazmat.backends import default_backend

# Load certificate from a file
with open("certificate.pem", "rb") as f:
    cert_data = f.read()

cert = x509.load_pem_x509_certificate(cert_data, default_backend())

try:
    san_extension = cert.extensions.get_extension_for_class(x509.SubjectAlternativeName)
    print("Subject Alternative Names:")
    for general_name in san_extension.value:
        if isinstance(general_name, x509.DNSName):
            print(f"  DNS Name: {general_name.value}")
        elif isinstance(general_name, x509.IPAddress):
            print(f"  IP Address: {general_name.value}")
        # Add more types as needed (e.g., x509.RFC822Name for email)
except x509.ExtensionNotFound:
    print("No Subject Alternative Name extension found.")

Java

Using Java's built-in java.security.cert package:

import java.io.FileInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;

public class SanExtractor {

    public static void main(String[] args) throws Exception {
        // Load certificate from a file
        FileInputStream fis = new FileInputStream("certificate.pem");
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);

        System.out.println("Subject Alternative Names:");
        Collection<List<?>> sans = cert.getSubjectAlternativeNames();

        if (sans != null) {
            for (List<?> sanEntry : sans) {
                // Type 2 is DNS Name, Type 7 is IP Address
                Integer type = (Integer) sanEntry.get(0);
                String value = (String) sanEntry.get(1);
                
                String typeName;
                switch (type) {
                    case 2: typeName = "DNS Name"; break;
                    case 7: typeName = "IP Address"; break;
                    case 1: typeName = "Email Address"; break;
                    case 6: typeName = "URI"; break;
                    default: typeName = "Unknown Type"; break;
                }
                System.out.println("  " + typeName + ": " + value);
            }
        } else {
            System.out.println("  No Subject Alternative Name extension found.");
        }
        fis.close();
    }
}

Why is SAN Important?

The SAN field is critical for several reasons:

  1. Modern Best Practice: It's the standard and recommended way to specify identities for a certificate, replacing the reliance on the Common Name for multi-domain certificates.
  2. Multi-Domain Support: Allows a single certificate to secure multiple distinct domain names, simplifying certificate management and reducing costs.
  3. IP Address Support: Enables certificates to be issued for and validated against specific IP addresses, which is vital in certain network configurations.
  4. Security: Ensures that clients can accurately verify the identity of the server they are connecting to, preventing man-in-the-middle attacks by ensuring the hostname matches a trusted identity in the certificate.
  5. Browser Compatibility: All modern web browsers and TLS clients strictly enforce SAN validation. Certificates without a matching SAN entry for the accessed hostname will trigger security warnings or block connections.