OpenSSLコマンド使用方法(Windows/Linux)

インストール

OpenSSLインストール手順(Windows 11)を参考にインストール設定する。

The OpenSSL Project マニュアルサイト

OpenSSL Master: https://docs.openssl.org/master/man1/
OpenSSL Ver.3.4: https://docs.openssl.org/3.4/man1/
OpenSSL Ver.3.3: https://docs.openssl.org/3.3/man1/
OpenSSL Ver.3.2: https://docs.openssl.org/3.2/man1/
OpenSSL Ver.1.1.1: https://docs.openssl.org/1.1.1/man1/

コマンド

「C:\OpenSSL」をWorkフォルダーとする。

cd C:\OpenSSL

証明書読み込み(PEMファイル)

openssl x509 -text -in 証明書PEMファイル名.cer
コマンド結果
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0d:ab:87:bf:37:6d:84:f3:8e:43:91:1b:25:3a:37:77
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Amazon, CN = Amazon RSA 2048 M01
        Validity
            Not Before: Feb 10 00:00:00 2023 GMT
            Not After : Jan  2 23:59:59 2024 GMT
        Subject: CN = qiita.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bc:6a:95:e7:31:dc:1c:5c:b7:0d:1c:b2:2b:9c:
                    97:f9:a5:28:6f:58:63:17:ea:68:ce:62:cb:95:83:
                    38:3e:09:83:83:fb:0a:48:53:9c:b3:01:e8:de:56:
                    e2:b6:d7:8d:14:cd:fc:1a:17:d5:35:88:c7:bf:ae:
                    56:b3:3d:50:83:89:88:e4:c9:42:3b:3f:3f:ff:a7:
                    83:16:6b:2b:45:07:be:ff:c9:90:fe:63:fa:ed:a1:
                    ed:19:be:36:c1:f4:f8:28:6d:c9:fb:7d:64:a3:9a:
                    32:a1:d3:63:3d:35:6e:d1:7a:72:6e:77:a2:84:d6:
                    c1:5f:ac:1a:0a:98:ea:2f:e8:2e:fb:cb:33:45:60:
                    35:e4:96:95:1a:d9:ca:35:1f:d9:32:40:33:34:03:
                    63:0f:b3:30:07:5e:57:83:46:a2:a0:8a:58:21:18:
                    4a:32:15:6a:62:a4:a5:5b:89:e9:54:f8:ec:b2:06:
                    f1:7f:ab:4e:86:2c:48:c0:22:9e:d3:51:60:fc:a4:
                    c3:e0:46:37:61:da:48:11:e1:2e:bf:cd:ae:1c:f8:
                    97:74:8f:26:75:64:65:dc:b9:bb:d0:93:d2:74:58:
                    a8:4e:fe:e1:af:f8:83:78:92:fe:68:ff:28:a3:d0:
                    81:77:47:a7:75:2c:a9:b6:46:ed:7e:5b:d7:1b:21:
                    bc:5b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                81:B8:0E:63:8A:89:12:18:E5:FA:3B:3B:50:95:9F:E6:E5:90:13:85
            X509v3 Subject Key Identifier:
                D8:7D:CE:74:D2:F7:46:3F:03:58:A6:27:D7:40:BC:83:8C:FF:65:82
            X509v3 Subject Alternative Name:
                DNS:qiita.com, DNS:*.qiita.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://crl.r2m01.amazontrust.com/r2m01.crl
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
            Authority Information Access:
                OCSP - URI:http://ocsp.r2m01.amazontrust.com
                CA Issuers - URI:http://crt.r2m01.amazontrust.com/r2m01.cer
            X509v3 Basic Constraints: critical
                CA:FALSE
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
                                32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
                    Timestamp : Feb 10 01:54:34.710 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:55:C4:F8:87:7E:DA:3C:D8:EF:2D:A6:7B:
                                13:8D:FE:06:FD:3C:EB:71:2E:C6:E2:D6:0E:26:81:67:
                                44:0D:2F:47:02:20:06:67:5D:AC:16:19:D6:2E:B4:15:
                                37:E6:33:FD:D6:88:48:E9:40:3B:D2:76:6F:F6:C8:6B:
                                C9:AB:9D:78:E1:CD
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 73:D9:9E:89:1B:4C:96:78:A0:20:7D:47:9D:E6:B2:C6:
                                1C:D0:51:5E:71:19:2A:8C:6B:80:10:7A:C1:77:72:B5
                    Timestamp : Feb 10 01:54:34.810 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:68:F0:B9:CC:EC:03:A6:15:06:07:2D:74:
                                55:7E:76:2D:28:13:39:D9:52:A6:4A:61:CD:22:3B:0D:
                                F7:91:17:5A:02:20:24:C1:DD:02:0A:62:0B:AE:02:63:
                                11:A2:69:CF:6E:AA:A8:50:52:F6:B9:CC:F3:0B:F5:9B:
                                95:A2:6F:3B:B5:AA
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
                                1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
                    Timestamp : Feb 10 01:54:34.763 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:9E:94:AA:24:31:2F:CC:19:DE:DB:71:
                                A2:54:25:48:2D:16:80:5D:C9:E4:09:FD:CE:28:F1:38:
                                E7:67:CE:F3:1B:02:20:29:5C:01:5E:7B:6C:4E:ED:83:
                                CB:03:7A:EA:1C:C7:C5:36:D0:F2:28:D2:20:30:90:EA:
                                35:98:B9:C4:26:AF:19
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        8a:70:c3:7a:9c:72:15:bb:42:f5:20:9c:35:0b:d6:c3:f2:4d:
        93:ce:b8:6e:9a:79:0f:17:c0:85:1c:80:7a:ff:dc:12:4f:8a:
        5a:e6:9e:43:1e:de:a0:bd:f1:8f:92:c4:e8:7f:3c:5d:7d:53:
        00:d1:5c:9d:cc:43:0c:82:be:88:fd:43:d5:ad:83:b9:a8:54:
        12:c3:98:55:b4:b0:28:38:0d:8d:83:a2:53:7c:8a:23:10:94:
        94:04:1b:47:bc:48:86:0e:6b:3c:81:a8:46:29:f7:d6:d3:b7:
        b2:9f:6f:a0:e4:d9:3a:df:28:0a:e8:f5:f1:c3:30:aa:08:d6:
        5c:40:b7:39:c8:61:60:8e:e8:82:88:35:fa:93:58:34:47:32:
        86:e8:d2:cb:cd:19:36:15:cd:36:0d:84:4f:e1:83:94:5e:4b:
        ec:8f:8c:51:a6:b6:0b:44:60:5c:e2:5d:14:a4:48:b6:47:2c:
        b1:81:fd:3a:ce:99:0c:00:d8:08:22:23:31:a0:16:4a:1b:77:
        73:72:cf:ce:95:ac:87:ae:fd:75:23:2e:20:2a:a4:62:3c:3e:
        91:69:c7:c9:99:3b:20:5a:01:c9:29:0a:5a:5f:91:f0:0a:f0:
        d6:f0:8f:9f:b8:48:b8:24:dd:57:c8:95:88:5d:23:c2:ec:23:
        7f:f3:1b:9d
-----BEGIN CERTIFICATE-----
MIIFyTCCBLGgAwIBAgIQDauHvzdthPOOQ5EbJTo3dzANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAxMB4XDTIzMDIxMDAwMDAwMFoXDTI0MDEwMjIzNTk1OVowFDES
MBAGA1UEAxMJcWlpdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvGqV5zHcHFy3DRyyK5yX+aUob1hjF+pozmLLlYM4PgmDg/sKSFOcswHo3lbi
tteNFM38GhfVNYjHv65Wsz1Qg4mI5MlCOz8//6eDFmsrRQe+/8mQ/mP67aHtGb42
wfT4KG3J+31ko5oyodNjPTVu0XpybneihNbBX6waCpjqL+gu+8szRWA15JaVGtnK
NR/ZMkAzNANjD7MwB15Xg0aioIpYIRhKMhVqYqSlW4npVPjssgbxf6tOhixIwCKe
01Fg/KTD4EY3YdpIEeEuv82uHPiXdI8mdWRl3Lm70JPSdFioTv7hr/iDeJL+aP8o
o9CBd0endSyptkbtflvXGyG8WwIDAQABo4IC7TCCAukwHwYDVR0jBBgwFoAUgbgO
Y4qJEhjl+js7UJWf5uWQE4UwHQYDVR0OBBYEFNh9znTS90Y/A1imJ9dAvIOM/2WC
MCEGA1UdEQQaMBiCCXFpaXRhLmNvbYILKi5xaWl0YS5jb20wDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA7BgNVHR8ENDAyMDCg
LqAshipodHRwOi8vY3JsLnIybTAxLmFtYXpvbnRydXN0LmNvbS9yMm0wMS5jcmww
EwYDVR0gBAwwCjAIBgZngQwBAgEwdQYIKwYBBQUHAQEEaTBnMC0GCCsGAQUFBzAB
hiFodHRwOi8vb2NzcC5yMm0wMS5hbWF6b250cnVzdC5jb20wNgYIKwYBBQUHMAKG
Kmh0dHA6Ly9jcnQucjJtMDEuYW1hem9udHJ1c3QuY29tL3IybTAxLmNlcjAMBgNV
HRMBAf8EAjAAMIIBfAYKKwYBBAHWeQIEAgSCAWwEggFoAWYAdQDuzdBk1dsazsVc
t520zROiModGfLzs3sNRSFlGcR+1mwAAAYY5CA5WAAAEAwBGMEQCIFXE+Id+2jzY
7y2mexON/gb9POtxLsbi1g4mgWdEDS9HAiAGZ12sFhnWLrQVN+Yz/daISOlAO9J2
b/bIa8mrnXjhzQB1AHPZnokbTJZ4oCB9R53mssYc0FFecRkqjGuAEHrBd3K1AAAB
hjkIDroAAAQDAEYwRAIgaPC5zOwDphUGBy10VX52LSgTOdlSpkphzSI7DfeRF1oC
ICTB3QIKYguuAmMRomnPbqqoUFL2uczzC/WblaJvO7WqAHYASLDja9qmRzQP5WoC
+p0w6xxSActW3SyB2bu/qznYhHMAAAGGOQgOiwAABAMARzBFAiEAnpSqJDEvzBne
23GiVCVILRaAXcnkCf3OKPE452fO8xsCIClcAV57bE7tg8sDeuocx8U20PIo0iAw
kOo1mLnEJq8ZMA0GCSqGSIb3DQEBCwUAA4IBAQCKcMN6nHIVu0L1IJw1C9bD8k2T
zrhumnkPF8CFHIB6/9wST4pa5p5DHt6gvfGPksTofzxdfVMA0VydzEMMgr6I/UPV
rYO5qFQSw5hVtLAoOA2Ng6JTfIojEJSUBBtHvEiGDms8gahGKffW07eyn2+g5Nk6
3ygK6PXxwzCqCNZcQLc5yGFgjuiCiDX6k1g0RzKG6NLLzRk2Fc02DYRP4YOUXkvs
j4xRprYLRGBc4l0UpEi2Ryyxgf06zpkMANgIIiMxoBZKG3dzcs/OlayHrv11Iy4g
KqRiPD6RacfJmTsgWgHJKQpaX5HwCvDW8I+fuEi4JN1XyJWIXSPC7CN/8xud
-----END CERTIFICATE-----

OpenSSL: https://docs.openssl.org/master/man1/openssl-x509/

証明書読み込み(DERファイル)

openssl x509 -text -inform der -in 証明書DERファイル名.cer

証明書読み込み(PEMファイルをASN.1形式で表示)

openssl asn1parse -dump -inform pem -in 証明書PEMファイル名.cer
コマンド結果
    0:d=0  hl=4 l=1481 cons: SEQUENCE
    4:d=1  hl=4 l=1201 cons: SEQUENCE
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=  16 prim: INTEGER           :0DAB87BF376D84F38E43911B253A3777
   31:d=2  hl=2 l=  13 cons: SEQUENCE
   33:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   44:d=3  hl=2 l=   0 prim: NULL
   46:d=2  hl=2 l=  60 cons: SEQUENCE
   48:d=3  hl=2 l=  11 cons: SET
   50:d=4  hl=2 l=   9 cons: SEQUENCE
   52:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   57:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US
   61:d=3  hl=2 l=  15 cons: SET
   63:d=4  hl=2 l=  13 cons: SEQUENCE
   65:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
   70:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Amazon
   78:d=3  hl=2 l=  28 cons: SET
   80:d=4  hl=2 l=  26 cons: SEQUENCE
   82:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   87:d=5  hl=2 l=  19 prim: PRINTABLESTRING   :Amazon RSA 2048 M01
  108:d=2  hl=2 l=  30 cons: SEQUENCE
  110:d=3  hl=2 l=  13 prim: UTCTIME           :230210000000Z
  125:d=3  hl=2 l=  13 prim: UTCTIME           :240102235959Z
  140:d=2  hl=2 l=  20 cons: SEQUENCE
  142:d=3  hl=2 l=  18 cons: SET
  144:d=4  hl=2 l=  16 cons: SEQUENCE
  146:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  151:d=5  hl=2 l=   9 prim: PRINTABLESTRING   :qiita.com
  162:d=2  hl=4 l= 290 cons: SEQUENCE
  166:d=3  hl=2 l=  13 cons: SEQUENCE
  168:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  179:d=4  hl=2 l=   0 prim: NULL
  181:d=3  hl=4 l= 271 prim: BIT STRING
      0000 - 00 30 82 01 0a 02 82 01-01 00 bc 6a 95 e7 31 dc   .0.........j..1.
      0010 - 1c 5c b7 0d 1c b2 2b 9c-97 f9 a5 28 6f 58 63 17   .\....+....(oXc.
      0020 - ea 68 ce 62 cb 95 83 38-3e 09 83 83 fb 0a 48 53   .h.b...8>.....HS
      0030 - 9c b3 01 e8 de 56 e2 b6-d7 8d 14 cd fc 1a 17 d5   .....V..........
      0040 - 35 88 c7 bf ae 56 b3 3d-50 83 89 88 e4 c9 42 3b   5....V.=P.....B;
      0050 - 3f 3f ff a7 83 16 6b 2b-45 07 be ff c9 90 fe 63   ??....k+E......c
      0060 - fa ed a1 ed 19 be 36 c1-f4 f8 28 6d c9 fb 7d 64   ......6...(m..}d
      0070 - a3 9a 32 a1 d3 63 3d 35-6e d1 7a 72 6e 77 a2 84   ..2..c=5n.zrnw..
      0080 - d6 c1 5f ac 1a 0a 98 ea-2f e8 2e fb cb 33 45 60   .._...../....3E`
      0090 - 35 e4 96 95 1a d9 ca 35-1f d9 32 40 33 34 03 63   5......5..2@34.c
      00a0 - 0f b3 30 07 5e 57 83 46-a2 a0 8a 58 21 18 4a 32   ..0.^W.F...X!.J2
      00b0 - 15 6a 62 a4 a5 5b 89 e9-54 f8 ec b2 06 f1 7f ab   .jb..[..T.......
      00c0 - 4e 86 2c 48 c0 22 9e d3-51 60 fc a4 c3 e0 46 37   N.,H."..Q`....F7
      00d0 - 61 da 48 11 e1 2e bf cd-ae 1c f8 97 74 8f 26 75   a.H.........t.&u
      00e0 - 64 65 dc b9 bb d0 93 d2-74 58 a8 4e fe e1 af f8   de......tX.N....
      00f0 - 83 78 92 fe 68 ff 28 a3-d0 81 77 47 a7 75 2c a9   .x..h.(...wG.u,.
      0100 - b6 46 ed 7e 5b d7 1b 21-bc 5b 02 03 01 00 01      .F.~[..!.[.....
  456:d=2  hl=4 l= 749 cons: cont [ 3 ]
  460:d=3  hl=4 l= 745 cons: SEQUENCE
  464:d=4  hl=2 l=  31 cons: SEQUENCE
  466:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
  471:d=5  hl=2 l=  24 prim: OCTET STRING
      0000 - 30 16 80 14 81 b8 0e 63-8a 89 12 18 e5 fa 3b 3b   0......c......;;
      0010 - 50 95 9f e6 e5 90 13 85-                          P.......
  497:d=4  hl=2 l=  29 cons: SEQUENCE
  499:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
  504:d=5  hl=2 l=  22 prim: OCTET STRING
      0000 - 04 14 d8 7d ce 74 d2 f7-46 3f 03 58 a6 27 d7 40   ...}.t..F?.X.'.@
      0010 - bc 83 8c ff 65 82                                 ....e.
  528:d=4  hl=2 l=  33 cons: SEQUENCE
  530:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
  535:d=5  hl=2 l=  26 prim: OCTET STRING
      0000 - 30 18 82 09 71 69 69 74-61 2e 63 6f 6d 82 0b 2a   0...qiita.com..*
      0010 - 2e 71 69 69 74 61 2e 63-6f 6d                     .qiita.com
  563:d=4  hl=2 l=  14 cons: SEQUENCE
  565:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
  570:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  573:d=5  hl=2 l=   4 prim: OCTET STRING
      0000 - 03 02 05 a0                                       ....
  579:d=4  hl=2 l=  29 cons: SEQUENCE
  581:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
  586:d=5  hl=2 l=  22 prim: OCTET STRING
      0000 - 30 14 06 08 2b 06 01 05-05 07 03 01 06 08 2b 06   0...+.........+.
      0010 - 01 05 05 07 03 02                                 ......
  610:d=4  hl=2 l=  59 cons: SEQUENCE
  612:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
  617:d=5  hl=2 l=  52 prim: OCTET STRING
      0000 - 30 32 30 30 a0 2e a0 2c-86 2a 68 74 74 70 3a 2f   0200...,.*http:/
      0010 - 2f 63 72 6c 2e 72 32 6d-30 31 2e 61 6d 61 7a 6f   /crl.r2m01.amazo
      0020 - 6e 74 72 75 73 74 2e 63-6f 6d 2f 72 32 6d 30 31   ntrust.com/r2m01
      0030 - 2e 63 72 6c                                       .crl
  671:d=4  hl=2 l=  19 cons: SEQUENCE
  673:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Certificate Policies
  678:d=5  hl=2 l=  12 prim: OCTET STRING
      0000 - 30 0a 30 08 06 06 67 81-0c 01 02 01               0.0...g.....
  692:d=4  hl=2 l= 117 cons: SEQUENCE
  694:d=5  hl=2 l=   8 prim: OBJECT            :Authority Information Access
  704:d=5  hl=2 l= 105 prim: OCTET STRING
      0000 - 30 67 30 2d 06 08 2b 06-01 05 05 07 30 01 86 21   0g0-..+.....0..!
      0010 - 68 74 74 70 3a 2f 2f 6f-63 73 70 2e 72 32 6d 30   http://ocsp.r2m0
      0020 - 31 2e 61 6d 61 7a 6f 6e-74 72 75 73 74 2e 63 6f   1.amazontrust.co
      0030 - 6d 30 36 06 08 2b 06 01-05 05 07 30 02 86 2a 68   m06..+.....0..*h
      0040 - 74 74 70 3a 2f 2f 63 72-74 2e 72 32 6d 30 31 2e   ttp://crt.r2m01.
      0050 - 61 6d 61 7a 6f 6e 74 72-75 73 74 2e 63 6f 6d 2f   amazontrust.com/
      0060 - 72 32 6d 30 31 2e 63 65-72                        r2m01.cer
  811:d=4  hl=2 l=  12 cons: SEQUENCE
  813:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  818:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  821:d=5  hl=2 l=   2 prim: OCTET STRING
      0000 - 30 00                                             0.
  825:d=4  hl=4 l= 380 cons: SEQUENCE
  829:d=5  hl=2 l=  10 prim: OBJECT            :CT Precertificate SCTs
  841:d=5  hl=4 l= 364 prim: OCTET STRING
      0000 - 04 82 01 68 01 66 00 75-00 ee cd d0 64 d5 db 1a   ...h.f.u....d...
      0010 - ce c5 5c b7 9d b4 cd 13-a2 32 87 46 7c bc ec de   ..\......2.F|...
      0020 - c3 51 48 59 46 71 1f b5-9b 00 00 01 86 39 08 0e   .QHYFq.......9..
      0030 - 56 00 00 04 03 00 46 30-44 02 20 55 c4 f8 87 7e   V.....F0D. U...~
      0040 - da 3c d8 ef 2d a6 7b 13-8d fe 06 fd 3c eb 71 2e   .<..-.{.....<.q.
      0050 - c6 e2 d6 0e 26 81 67 44-0d 2f 47 02 20 06 67 5d   ....&.gD./G. .g]
      0060 - ac 16 19 d6 2e b4 15 37-e6 33 fd d6 88 48 e9 40   .......7.3...H.@
      0070 - 3b d2 76 6f f6 c8 6b c9-ab 9d 78 e1 cd 00 75 00   ;.vo..k...x...u.
      0080 - 73 d9 9e 89 1b 4c 96 78-a0 20 7d 47 9d e6 b2 c6   s....L.x. }G....
      0090 - 1c d0 51 5e 71 19 2a 8c-6b 80 10 7a c1 77 72 b5   ..Q^q.*.k..z.wr.
      00a0 - 00 00 01 86 39 08 0e ba-00 00 04 03 00 46 30 44   ....9........F0D
      00b0 - 02 20 68 f0 b9 cc ec 03-a6 15 06 07 2d 74 55 7e   . h.........-tU~
      00c0 - 76 2d 28 13 39 d9 52 a6-4a 61 cd 22 3b 0d f7 91   v-(.9.R.Ja.";...
      00d0 - 17 5a 02 20 24 c1 dd 02-0a 62 0b ae 02 63 11 a2   .Z. $....b...c..
      00e0 - 69 cf 6e aa a8 50 52 f6-b9 cc f3 0b f5 9b 95 a2   i.n..PR.........
      00f0 - 6f 3b b5 aa 00 76 00 48-b0 e3 6b da a6 47 34 0f   o;...v.H..k..G4.
      0100 - e5 6a 02 fa 9d 30 eb 1c-52 01 cb 56 dd 2c 81 d9   .j...0..R..V.,..
      0110 - bb bf ab 39 d8 84 73 00-00 01 86 39 08 0e 8b 00   ...9..s....9....
      0120 - 00 04 03 00 47 30 45 02-21 00 9e 94 aa 24 31 2f   ....G0E.!....$1/
      0130 - cc 19 de db 71 a2 54 25-48 2d 16 80 5d c9 e4 09   ....q.T%H-..]...
      0140 - fd ce 28 f1 38 e7 67 ce-f3 1b 02 20 29 5c 01 5e   ..(.8.g.... )\.^
      0150 - 7b 6c 4e ed 83 cb 03 7a-ea 1c c7 c5 36 d0 f2 28   {lN....z....6..(
      0160 - d2 20 30 90 ea 35 98 b9-c4 26 af 19               . 0..5...&..
 1209:d=1  hl=2 l=  13 cons: SEQUENCE
 1211:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 1222:d=2  hl=2 l=   0 prim: NULL
 1224:d=1  hl=4 l= 257 prim: BIT STRING
      0000 - 00 8a 70 c3 7a 9c 72 15-bb 42 f5 20 9c 35 0b d6   ..p.z.r..B. .5..
      0010 - c3 f2 4d 93 ce b8 6e 9a-79 0f 17 c0 85 1c 80 7a   ..M...n.y......z
      0020 - ff dc 12 4f 8a 5a e6 9e-43 1e de a0 bd f1 8f 92   ...O.Z..C.......
      0030 - c4 e8 7f 3c 5d 7d 53 00-d1 5c 9d cc 43 0c 82 be   ...<]}S..\..C...
      0040 - 88 fd 43 d5 ad 83 b9 a8-54 12 c3 98 55 b4 b0 28   ..C.....T...U..(
      0050 - 38 0d 8d 83 a2 53 7c 8a-23 10 94 94 04 1b 47 bc   8....S|.#.....G.
      0060 - 48 86 0e 6b 3c 81 a8 46-29 f7 d6 d3 b7 b2 9f 6f   H..k<..F)......o
      0070 - a0 e4 d9 3a df 28 0a e8-f5 f1 c3 30 aa 08 d6 5c   ...:.(.....0...\
      0080 - 40 b7 39 c8 61 60 8e e8-82 88 35 fa 93 58 34 47   @.9.a`....5..X4G
      0090 - 32 86 e8 d2 cb cd 19 36-15 cd 36 0d 84 4f e1 83   2......6..6..O..
      00a0 - 94 5e 4b ec 8f 8c 51 a6-b6 0b 44 60 5c e2 5d 14   .^K...Q...D`\.].
      00b0 - a4 48 b6 47 2c b1 81 fd-3a ce 99 0c 00 d8 08 22   .H.G,...:......"
      00c0 - 23 31 a0 16 4a 1b 77 73-72 cf ce 95 ac 87 ae fd   #1..J.wsr.......
      00d0 - 75 23 2e 20 2a a4 62 3c-3e 91 69 c7 c9 99 3b 20   u#. *.b<>.i...;
      00e0 - 5a 01 c9 29 0a 5a 5f 91-f0 0a f0 d6 f0 8f 9f b8   Z..).Z_.........
      00f0 - 48 b8 24 dd 57 c8 95 88-5d 23 c2 ec 23 7f f3 1b   H.$.W...]#..#...
      0100 - 9d                                                .

証明書読み込み(DERファイルをASN.1形式で表示)

openssl asn1parse -dump -inform der -in 証明書DERファイル名.cer

証明書変換(PEM→DERファイル)

openssl x509 -in 証明書PEMファイル名.cer -outform der -out 変換後証明書DERファイル名.cer

証明書変換(DER→PEMファイル)

openssl x509 -inform der -in 証明書DERファイル名.cer -outform pem -out 変換後証明書PEMファイル名.cer

ウェブサーバーに接続し証明書取得(証明書設定状況の確認)

「-CAfile」でルート証明書を指定すると結果に
「Verify return code: 20 (unable to get local issuer certificate)」が表示されない。

オプション
-tls1_2 … TLS 1.2 のみを使って接続する
-tls1_3 … TLS 1.3 のみを使って接続する
-quiet … 表示が簡略化する

openssl s_client -showcerts -connect www.google.com:443
openssl s_client -showcerts -connect www.google.com:443 -CAfile "C:\OpenSSL\GTS Root R1.crt"

depth=1が中間CA証明書。
depth=0がTLSサーバー証明書。

コマンド結果(「-CAfile」なし)
openssl s_client -showcerts -connect www.google.com:443
Connecting to 142.250.196.132
CONNECTED(000001DC)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
verify return:1
depth=0 CN=www.google.com
verify return:1
---
Certificate chain
 0 s:CN=www.google.com
   i:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar  4 07:19:07 2024 GMT; NotAfter: May 27 07:19:06 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIRAP4dE5JhiucMEGWQKlXQQa0wDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjQwMzA0MDcxOTA3WhcNMjQwNTI3
MDcxOTA2WjAZMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABMMDSQ2mMkIXUjnAeS3yfWjwitq5YVFHILRKzj3K431rP+/j
FAXZijbgZP+mm7nfJJsy+TXaYgO01q5IdDVDqBWjggJpMIICZTAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUV/1e5rYZ0yR7pC592IZRcCllWLowHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ
4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz
cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y
ZXBvL2NlcnRzL2d0czFjMy5kZXIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20w
IQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGg
L6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvemRBVHQwRXhfRmsuY3Js
MIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcASLDja9qmRzQP5WoC+p0w6xxSActW
3SyB2bu/qznYhHMAAAGOCIuRPAAABAMASDBGAiEAn1g5+kQpvQpi3+hvUTOSufLt
kTAJGJhKAjtjqx+N7/0CIQCGvjaQJIDJtjzgAZCnj4TpzNOBFLWRqGjR+IfDXRzy
mgB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABjgiLkRcAAAQD
AEgwRgIhANSmnt2rCCaon3Tlu4rKuxixvrBxMM2VuHeFP9JpvWa/AiEAoPH+GHpK
WDN4pvPqRvYweky6Ud6mH/RD0x3uiV/8p0owDQYJKoZIhvcNAQELBQADggEBAL7C
TTtTWrnwz16zmWgr4LDCacIEPO7tiWikxijBneH5odCyoKYfOHmJeMRLTCELAo9e
EUT00UBv+C+IuTQYqznd26c7FaIfJMa7t+sCFid+QDTISyAbgzgUE/7i9iYBwteD
PzcEENWXO/ctzGxHqNwA2XBZNNyIhpNQvxHSZ9S36nsOk4fiTnirUMOrXZKfp60j
qbcyShje65KcwHccLZWlETXGI8uhYD3zkDbRBPXMy0Z1TIhHTKwE+SKSQUBIoRKS
QqN3IYXEpzXTpoo182hRXwGNc6oCkZumqmtXsVC7oZRU3Kb1A/lO2DG8yIA91Ixy
EoACZYQWDlFet3okex8=
-----END CERTIFICATE-----
 1 s:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp
kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX
lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm
BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA
gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL
tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud
DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD
VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG
A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN
AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ
cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL
RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U
+o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr
PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER
lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs
Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO
z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG
AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw
juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl
1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
-----END CERTIFICATE-----
 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=www.google.com
issuer=C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4297 bytes and written 402 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
94500000:error:0A000126:SSL routines::unexpected eof while reading:ssl\record\rec_layer_s3.c:650:
コマンド結果(「-CAfile」あり)
openssl s_client -showcerts -connect www.google.com:443 -CAfile "C:\OpenSSL\GTS Root R1.crt"
Connecting to 172.217.161.36
CONNECTED(000001DC)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
verify return:1
depth=0 CN=www.google.com
verify return:1
---
Certificate chain
 0 s:CN=www.google.com
   i:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar  4 07:19:07 2024 GMT; NotAfter: May 27 07:19:06 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIRAP4dE5JhiucMEGWQKlXQQa0wDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjQwMzA0MDcxOTA3WhcNMjQwNTI3
MDcxOTA2WjAZMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABMMDSQ2mMkIXUjnAeS3yfWjwitq5YVFHILRKzj3K431rP+/j
FAXZijbgZP+mm7nfJJsy+TXaYgO01q5IdDVDqBWjggJpMIICZTAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUV/1e5rYZ0yR7pC592IZRcCllWLowHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ
4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz
cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y
ZXBvL2NlcnRzL2d0czFjMy5kZXIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20w
IQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGg
L6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvemRBVHQwRXhfRmsuY3Js
MIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcASLDja9qmRzQP5WoC+p0w6xxSActW
3SyB2bu/qznYhHMAAAGOCIuRPAAABAMASDBGAiEAn1g5+kQpvQpi3+hvUTOSufLt
kTAJGJhKAjtjqx+N7/0CIQCGvjaQJIDJtjzgAZCnj4TpzNOBFLWRqGjR+IfDXRzy
mgB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABjgiLkRcAAAQD
AEgwRgIhANSmnt2rCCaon3Tlu4rKuxixvrBxMM2VuHeFP9JpvWa/AiEAoPH+GHpK
WDN4pvPqRvYweky6Ud6mH/RD0x3uiV/8p0owDQYJKoZIhvcNAQELBQADggEBAL7C
TTtTWrnwz16zmWgr4LDCacIEPO7tiWikxijBneH5odCyoKYfOHmJeMRLTCELAo9e
EUT00UBv+C+IuTQYqznd26c7FaIfJMa7t+sCFid+QDTISyAbgzgUE/7i9iYBwteD
PzcEENWXO/ctzGxHqNwA2XBZNNyIhpNQvxHSZ9S36nsOk4fiTnirUMOrXZKfp60j
qbcyShje65KcwHccLZWlETXGI8uhYD3zkDbRBPXMy0Z1TIhHTKwE+SKSQUBIoRKS
QqN3IYXEpzXTpoo182hRXwGNc6oCkZumqmtXsVC7oZRU3Kb1A/lO2DG8yIA91Ixy
EoACZYQWDlFet3okex8=
-----END CERTIFICATE-----
 1 s:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp
kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX
lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm
BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA
gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL
tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud
DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD
VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG
A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN
AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ
cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL
RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U
+o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr
PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER
lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs
Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO
z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG
AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw
juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl
1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
-----END CERTIFICATE-----
 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=www.google.com
issuer=C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4298 bytes and written 402 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
F0100000:error:0A000126:SSL routines::unexpected eof while reading:ssl\record\rec_layer_s3.c:650:

関連サイト

OpenSSLでウェブサーバーに中間CA証明書が正しく設定されているか確認する方法

OpenSSL:https://docs.openssl.org/master/man1/openssl-s_client/

鍵ペア生成

RSA-2048、RSA-3072、RSA-4096、prime256v1、secp256k1、secp384r1

openssl genrsa 2048 > cert2048.key
openssl genrsa 3072 > cert3072.key
openssl genrsa 4096 > cert4096.key
openssl ecparam -name prime256v1 -genkey -out certprime256v1.key
openssl ecparam -name secp256k1 -genkey -out certecc256.key
openssl ecparam -name secp384r1 -genkey -out certecc384.key

OpenSSL:https://docs.openssl.org/master/man1/openssl-genrsa/
OpenSSL:https://docs.openssl.org/master/man1/openssl-ecparam/

鍵ペア表示

openssl rsa -noout -text -in cert2048.key
openssl rsa -noout -text -in cert3072.key
openssl rsa -noout -text -in cert4096.key
openssl ec -text -in certprime256v1.key
openssl ec -text -in certecc256.key
openssl ec -text -in certecc384.key

OpenSSL:https://docs.openssl.org/master/man1/openssl-rsa/
OpenSSL:https://docs.openssl.org/master/man1/openssl-ec/

RSA鍵ペア表示コマンド結果

名称説明種別
modulusモジュラスn(n=pq)Public Key(公開鍵)
publicExponent公開指数e=65537Public Key(公開鍵)
privateExponent非公開指数d=e^(-1) mod (p-1)(q-1)Private Key(秘密鍵)
prime1nの素因数pPrivate Key(秘密鍵)
prime2nの素因数qPrivate Key(秘密鍵)
exponent1d mod (p-1)
exponent2d mod (q-1)
coefficient中国剰余定理の係数 q^(-1) mod p
コマンド結果
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:e5:0f:0f:87:93:b3:65:7e:9f:83:4a:72:8a:62:
    38:a8:7f:72:1b:e4:04:77:d3:e9:b1:42:91:47:7f:
    7b:1c:0d:5a:e4:4c:1e:55:c3:8e:7b:87:63:92:6e:
    54:14:a8:25:81:c0:9c:4d:9b:8b:cb:cb:85:c6:e4:
    71:0d:7a:72:c5:2a:ee:7a:c9:a9:2e:d0:27:71:5e:
    8e:5d:1b:52:89:7b:ab:3c:b6:4d:71:f1:55:50:5c:
    5f:77:a0:a7:9c:80:44:58:de:74:ac:0a:fe:f7:55:
    11:d9:77:29:6c:78:d5:06:a3:55:8e:f1:26:10:93:
    ea:76:05:28:8b:91:75:fc:3c:1c:23:1a:7c:af:9a:
    94:fa:c9:aa:c8:39:53:0c:8d:af:76:8e:56:b7:67:
    34:1d:cf:d3:ec:1a:b1:39:47:37:4c:2f:27:67:a7:
    84:b7:89:0b:25:c2:54:39:e6:bd:1b:25:87:8a:1a:
    ac:ea:2a:92:6e:cf:0a:9e:0b:dc:3e:ee:1b:73:bd:
    aa:9b:78:ec:b3:c6:18:d2:b3:0e:a7:6f:d0:a4:6a:
    15:b0:a3:1c:0a:b3:0c:be:f0:74:fc:cc:22:98:44:
    a0:e7:33:0d:14:f6:03:af:b7:68:76:6a:81:cc:51:
    28:1a:89:5e:e9:a5:0b:64:ab:85:e7:32:30:64:8b:
    85:d1
publicExponent: 65537 (0x10001)
privateExponent:
    4b:0b:1f:1c:5c:e0:76:4d:00:b7:83:c9:78:da:eb:
    13:11:05:f2:6b:46:a7:77:6e:e5:9b:18:7b:a3:21:
    53:34:70:e5:c0:a6:63:94:b8:f6:71:89:c6:ac:8c:
    b1:63:d1:3d:ec:3b:89:15:7f:bc:59:c6:4f:3e:02:
    67:d7:09:08:dd:a2:d9:e9:7d:9b:0f:a9:0c:74:5d:
    11:d5:e4:b9:94:21:aa:b7:53:32:14:4d:ce:11:25:
    59:cc:f1:7c:cd:6d:16:ec:72:ae:f6:bf:47:8a:c0:
    59:4d:b7:ed:88:bc:c9:fa:f3:09:ec:a9:7a:de:ea:
    fe:95:7c:0e:15:ae:e0:de:b5:ee:6b:17:07:d8:87:
    cf:ce:49:6a:ee:02:6a:7f:e0:78:53:3d:b3:5b:20:
    b7:18:58:7b:45:2e:a1:b7:dc:cc:bf:81:92:c9:90:
    1c:44:ae:13:b0:03:21:ae:5a:64:d3:28:39:60:aa:
    92:01:e7:ac:64:6c:83:49:92:0c:03:c5:b7:f9:bf:
    d3:ec:6a:74:05:52:f6:de:8c:f5:f0:55:ea:79:69:
    1b:ea:14:8a:63:42:ec:ee:f6:5f:0a:ec:5f:7d:ff:
    82:f0:88:01:a6:96:4e:0c:73:fe:ae:8a:5c:9b:16:
    a7:52:18:4f:9f:75:98:60:52:f9:95:ab:43:cf:d5:
    91
prime1:
    00:f5:30:2f:64:80:d1:5d:a0:9d:36:51:ea:b6:36:
    09:33:d4:29:d6:33:55:f1:88:1e:c3:58:34:26:8a:
    90:c1:ac:d9:05:35:18:39:9f:b4:17:0d:85:f3:dd:
    75:1d:02:27:14:2a:76:8f:99:07:48:f6:a5:46:28:
    32:c4:2d:5c:0a:b0:17:8d:d2:4e:cc:7c:6f:4f:44:
    37:b1:92:4b:ac:1e:11:1d:a7:3a:0a:30:d6:8d:9b:
    6e:f5:60:ad:80:59:ee:27:6e:43:a7:16:74:77:ea:
    6f:78:48:f8:b9:97:a3:6a:21:63:d3:b6:07:ec:c3:
    90:a7:68:79:c1:d5:31:a3:3d
prime2:
    00:ef:28:cc:63:21:c2:63:6d:82:fd:65:58:ef:13:
    c0:37:c4:11:16:86:52:ab:4d:63:b6:87:07:14:b7:
    87:a7:c0:68:49:df:ba:87:0e:61:1d:ea:97:e3:56:
    ed:fb:63:ef:8b:d8:63:1f:5f:21:3d:72:88:c8:8d:
    ab:57:5c:76:22:08:27:37:b9:50:df:0d:2b:78:95:
    b3:7c:ca:c6:06:16:65:e6:01:56:15:32:21:4d:06:
    14:c1:ac:ea:6d:fd:e0:97:57:25:0a:78:78:cb:84:
    01:51:40:e2:74:56:55:04:fe:77:a3:6e:c1:3e:71:
    26:c0:91:b7:d6:67:71:86:25
exponent1:
    00:c6:a4:cb:40:b9:bc:e6:06:02:58:c7:f5:48:ba:
    6e:aa:36:f1:ce:40:b9:18:7e:17:ae:5b:ff:a4:5a:
    0e:fd:5a:74:58:eb:b3:3c:bc:4e:c3:7e:89:50:11:
    d3:98:34:ee:44:40:42:de:04:35:0a:c0:09:16:d5:
    ea:8b:55:d4:84:34:36:61:08:4a:1f:11:91:7c:be:
    e0:00:55:6e:49:7b:f2:91:fb:b1:e2:1f:bf:33:eb:
    01:f2:7a:e9:16:5b:c5:be:dc:6e:a3:28:66:23:e1:
    23:7e:68:60:5a:bc:a8:00:8c:1c:bc:a1:75:ba:34:
    97:35:8a:47:5a:ea:c6:d4:61
exponent2:
    00:c1:e4:f4:d7:c6:0e:00:68:4f:d3:ba:b0:00:9c:
    a5:b1:50:8f:7e:10:86:c3:85:29:bb:58:fb:bf:ab:
    10:1b:4b:de:01:4e:96:be:5a:45:18:69:12:9d:68:
    e3:e6:75:5e:47:a5:b6:af:3f:84:06:7a:6e:35:12:
    ce:80:34:61:3e:34:17:ff:90:89:e5:5c:9b:0a:d7:
    6b:be:57:f3:76:0a:00:b1:1a:12:3d:7a:f8:0e:a7:
    48:7a:c1:03:0b:0b:d2:63:40:6e:b2:6f:7b:97:9c:
    3d:29:30:0e:a8:bd:39:8e:a3:f4:41:17:51:2a:9b:
    b8:0c:55:d7:92:c7:28:fd:d5
coefficient:
    3d:32:54:78:96:48:42:bc:22:10:cb:ae:68:c2:82:
    e9:20:85:b0:0c:a7:f5:5e:f6:69:b7:98:27:81:da:
    41:83:f4:6e:56:06:79:0f:5d:3a:d6:d0:eb:9a:a4:
    95:49:9a:e2:04:a3:6e:09:c7:2b:d7:93:b7:ac:d8:
    0d:d0:51:9b:7a:6a:3a:6a:50:8f:09:36:30:c4:46:
    d4:2c:25:0c:89:37:14:41:3b:06:32:e3:35:de:b4:
    b9:d3:94:10:ac:26:f3:9f:32:79:32:14:a0:2c:53:
    3b:5e:e7:d7:bd:11:4b:72:93:2e:42:dd:6a:a9:45:
    e9:52:95:ae:d8:47:57:9b

CSR生成

openssl req -new -key cert2048.key -sha256 -out cert2048.csr
openssl req -new -key cert3072.key -sha256 -out cert3072.csr
openssl req -new -key cert4096.key -sha256 -out cert4096.csr
openssl req -new -key certecc256.key -sha256 -out certecc256.csr
openssl req -new -key certecc384.key -sha256 -out certecc384.csr

OpenSSL:https://docs.openssl.org/master/man1/openssl-req/

CSR表示

openssl req -text -noout -in cert2048.csr
openssl req -text -noout -in cert3072.csr
openssl req -text -noout -in cert4096.csr
openssl req -text -noout -in certecc256.csr
openssl req -text -noout -in certecc384.csr

自己署名証明書の発行(期間指定)

有効期間:10年(3652日)
有効期間:100年(36524日)
最大で9999年12月31日まで発行可。([例] 2024/09/16 の 2912914日後が9999/12/31)

openssl x509 -days 3652 -in cert2048.csr -req -signkey cert2048.key -out cert2048.cer
openssl x509 -days 3652 -in cert3072.csr -req -signkey cert3072.key -out cert3072.cer
openssl x509 -days 3652 -in cert4096.csr -req -signkey cert4096.key -out cert4096.cer
openssl x509 -days 3652 -in certecc256.csr -req -signkey certecc256.key -out certecc256.cer
openssl x509 -days 3652 -in certecc384.csr -req -signkey certecc384.key -out certecc384.cer

CRL表示

openssl crl -inform der -in fullcrl.crl -text -noout

OpenSSL:https://docs.openssl.org/master/man1/openssl-crl/

P12ファイル生成

暗号指定なし(指定しない場合は以下暗号方式となる。秘密鍵:pbeWithSHA1And3-KeyTripleDES-CBC、証明書:pbeWithSHA1And40BitRC2-CBC)

openssl pkcs12 -export -in cert2048.cer -inkey cert2048.key -out cert2048.p12

暗号指定あり(秘密鍵:AES-256-CBC、証明書:PBE-SHA1-3DES)

openssl pkcs12 -keypbe AES-256-CBC -certpbe PBE-SHA1-3DES -export -in cert2048.cer -inkey cert2048.key -out cert2048.p12

OpenSSL:https://docs.openssl.org/master/man1/openssl-pkcs12/

P12ファイル生成(中間CA証明書を含む)

SubordinateCA.cer…中間CA証明書

openssl pkcs12 -export -in cert2048.cer -inkey cert2048.key -certfile SubordinateCA.cer -out cert2048.p12

P12ファイル情報表示

openssl pkcs12 -info -in cert2048.p12

古い暗号アルゴリズムの場合OpenSSL Ver.3ではERRORになり、表示できない場合がある。その場合は、以下のコマンドで表示できる。レガシーモードでは、証明書暗号のデフォルトアルゴリズムは、RC2暗号がビルド内で有効になっているかどうかに応じて、RC2_CBCまたは3DES_CBCになる。プライベート鍵暗号化のデフォルトのアルゴリズムは3DES_CBCになる。レガシーオプションが指定されていない場合、レガシープロバイダーはロードされず、証明書とプライベート鍵の両方のデフォルトの暗号化アルゴリズムはAES_256_CBCで、鍵導出 (key derivation)にはPBKDF2が使用される。

openssl pkcs12 -info -in cert2048.p12 -legacy -provider-path "C:\Program Files\OpenSSL-Win64\bin"

コマンド結果(CA[Actalis]で作成されたP12(秘密鍵:PBE-SHA1-3DES、証明書:RC2_CBC_40))
(例)
openssl pkcs12 -info -in test.pfx
Enter Import Password:

MAC: sha1, Iteration 102400
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 51200
Bag Attributes
    localKeyID: BF E9 EF 83 88 D2 F6 FB 9C 43 94 F4 76 7A CC 20 26 00 75 A7
    friendlyName: test@outlook.jp
Key Attributes: 
Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----BEGIN ENCRYPTED PRIVATE KEY-----
省略
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 51200
Certificate bag
Bag Attributes
    localKeyID: BF E9 EF 83 88 D2 F6 FB 9C 43 94 F4 76 7A CC 20 26 00 75 A7
    friendlyName: test@outlook.jp
subject=CN = test@outlook.jp

issuer=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: Actalis Client Authentication CA G3
subject=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3

issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: Actalis Authentication Root CA
subject=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
コマンド結果(OpenSSLで作成したP12(秘密鍵:AES-256-CBC、証明書:PBE-SHA1-3DES))
openssl pkcs12 -info -in .\openssl-AES256-CBC.p12
Enter Import Password:

MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: 9D 9A 95 56 29 B1 EB 3C 1C 80 1E A1 87 03 C1 14 1D 96 89 48
subject=CN = test@outlook.jp

issuer=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: 
subject=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3

issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: 
subject=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Bag Attributes
    localKeyID: 9D 9A 95 56 29 B1 EB 3C 1C 80 1E A1 87 03 C1 14 1D 96 89 48
Key Attributes: 
Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----BEGIN ENCRYPTED PRIVATE KEY-----
省略
-----END ENCRYPTED PRIVATE KEY-----
コマンド結果(Windowsで出力したP12(秘密鍵:AES-256-CBC))
openssl pkcs12 -info -in .\AES256-SHA256.pfx
Enter Import Password:

MAC: sha256, Iteration 2000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: {D2FE608C-D706-4730-B763-0C4B78D90D98}
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
    X509v3 Key Usage: 10
Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----BEGIN ENCRYPTED PRIVATE KEY-----
省略
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Data
Certificate bag
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: test@outlook.jp
subject=CN = test@outlook.jp

issuer=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    1.3.6.1.4.1.311.17.3.83: 30 1E 30 1C 06 06 2B 81 1F 01 11 01 30 12 30 10 06 0A 2B 06 01 04 01 82 37 3C 01 01 03 02 00 C0
    1.3.6.1.4.1.311.17.3.98: 55 92 60 84 EC 96 3A 64 B9 6E 2A BE 01 CE 0B A8 6A 64 FB FE BC C7 AA B5 AF C1 55 B3 7F D7 60 66
    1.3.6.1.4.1.311.17.3.9: 30 32 06 08 2B 06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 08
    friendlyName: Actalis Authentication Root CA
subject=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    1.3.6.1.4.1.311.17.3.75: 38 00 42 00 34 00 33 00 41 00 36 00 41 00 32 00 41 00 42 00 33 00 31 00 44 00 38 00 46 00 36 00 42 00 38 00 39 00 44 00 43 00 46 00 44 00 34 00 46 00 44 00 39 00 36 00 38 00 36 00 44 00 35 00 5F 00 00 00
    friendlyName: Actalis Client Authentication CA G3
subject=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3

issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
コマンド結果(Windowsで出力したP12(秘密鍵:PBE-SHA1-3DES))
openssl pkcs12 -info -in .\TripleDES-SHA1.pfx
Enter Import Password:

MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: {D2FE608C-D706-4730-B763-0C4B78D90D98}
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
    X509v3 Key Usage: 10
Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----BEGIN ENCRYPTED PRIVATE KEY-----
省略
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Data
Certificate bag
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: test@outlook.jp
subject=CN = test@outlook.jp

issuer=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    1.3.6.1.4.1.311.17.3.83: 30 1E 30 1C 06 06 2B 81 1F 01 11 01 30 12 30 10 06 0A 2B 06 01 04 01 82 37 3C 01 01 03 02 00 C0
    1.3.6.1.4.1.311.17.3.98: 55 92 60 84 EC 96 3A 64 B9 6E 2A BE 01 CE 0B A8 6A 64 FB FE BC C7 AA B5 AF C1 55 B3 7F D7 60 66
    1.3.6.1.4.1.311.17.3.9: 30 32 06 08 2B 06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 08
    friendlyName: Actalis Authentication Root CA
subject=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    1.3.6.1.4.1.311.17.3.75: 38 00 42 00 34 00 33 00 41 00 36 00 41 00 32 00 41 00 42 00 33 00 31 00 44 00 38 00 46 00 36 00 42 00 38 00 39 00 44 00 43 00 46 00 44 00 34 00 46 00 44 00 39 00 36 00 38 00 36 00 44 00 35 00 5F 00 00 00
    friendlyName: Actalis Client Authentication CA G3
subject=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3

issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA

-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----

P12ファイルから秘密鍵、証明書、中間CA証明書を抽出

#証明書と中間CA証明書を抽出(PEM形式のCERファイルを開くと階層を確認可能)
openssl pkcs12 -in cert2048.p12 -nokeys -out cert2048-allout.cer
#証明書のみを抽出
openssl pkcs12 -in cert2048.p12 -clcerts -nokeys -out cert2048-out.cer
#中間CA証明書のみを抽出
openssl pkcs12 -in cert2048.p12 -cacerts -nokeys -out SubordinateCA-out.cer
#秘密鍵のみを抽出
openssl pkcs12 -in cert2048.p12 -nocerts -nodes -out cert2048-out.key

証明書検証

RootAndSubordinateCA.cer…ルート証明書と中間CA証明書が結合されたPEMファイル

#証明書検証
openssl verify -CAfile RootAndSubordinateCA.cer cert2048.cer

OpenSSL:https://docs.openssl.org/master/man1/openssl-verify/

OCSPレスポンダーへの問い合わせ

Openssl:https://docs.openssl.org/master/man1/openssl-ocsp/

【参考】
OCSP Status Checker
PEMファイルを貼り付けるとOCSPの結果が表示される。

OCSP モデルについての説明
https://www.ipa.go.jp/security/pki/043.html

証明書ファイルから問い合わせ

openssl ocsp -sha1 -no_nonce -CAfile [ルート証明書PEMファイル名.cer] -issuer [中間CA証明書PEMファイル名.cer] -cert [TLSサーバー証明書PEMファイル名.cer] -url [HTTPから始まるOCSPレスポンダーURL]

「-sha1」を「-sha256」に変更すると、Certificate IDのHash AlgorithmがSHA256になる。

実行結果
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 793C84590DB75B740B4C302271956226A68E3487
          Issuer Key Hash: 99451855A2DE5A1DD5A47625B4C33D5671FD9D3E
          Serial Number: 73FF7B6E99E146F8674BDB72C65319E5F43A4085
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = JP, ST = Tokyo, O = CA, CN = SCA01
    Produced At: Jun  9 22:50:29 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 793C84590DB75B740B4C302271956226A68E3487
      Issuer Key Hash: 99451855A2DE5A1DD5A47625B4C33D5671FD9D3E
      Serial Number: 73FF7B6E99E146F8674BDB72C65319E5F43A4085
    Cert Status: revoked
    Revocation Time: May 27 23:26:27 2022 GMT
    Revocation Reason: superseded (0x4)
    This Update: Jun  9 22:50:29 2022 GMT
    Next Update: Jun 16 22:50:29 2022 GMT

    Signature Algorithm: sha256WithRSAEncryption
         83:c4:0a:b7:24:c9:68:d9:21:02:bc:db:b1:25:6b:1d:d3:61:
         17:b0:cd:41:a0:39:b9:47:83:f2:f1:24:44:26:17:2e:24:9e:
         23:82:8b:11:84:65:87:45:3b:da:ce:a5:bf:bf:f0:fc:82:05:
         0e:c8:3d:c9:7a:9a:34:33:f7:86:1e:a2:88:07:72:ec:6f:f9:
         46:6d:43:07:c3:56:4c:6d:e3:ed:a3:20:9d:d5:68:b7:5f:6f:
         15:59:46:95:aa:72:a5:75:9d:40:6c:f8:6a:8d:7c:82:27:72:
         3b:c4:97:81:6a:ce:23:fa:b1:7b:ec:91:ae:5e:4a:77:9f:37:
         e2:35:19:7f:cf:6f:4f:56:ba:0e:2d:3b:c1:21:ff:8d:bb:c5:
         a9:9b:f2:69:61:45:1b:6e:b9:f0:59:33:98:95:cc:e4:cc:97:
         a6:e0:42:02:55:0d:1a:eb:de:ec:ff:f5:fc:c2:4e:e3:b0:ed:
         78:1f:55:1f:3d:92:58:76:ff:79:a9:26:97:d3:de:17:ad:ef:
         c9:bd:1b:e5:3d:80:fe:1a:14:48:07:af:ac:f0:97:ca:20:6c:
         87:21:16:53:cd:57:84:89:cc:67:07:40:dc:dd:b3:7e:56:ce:
         5d:65:f4:d5:ea:7f:17:51:5a:fe:96:34:2c:4e:35:1d:c2:8a:
         6d:e4:ba:a7:b3:a7:d1:d5:84:f3:4e:6d:96:67:0d:5f:ae:a5:
         e7:f5:89:26:a2:8d:cc:fb:58:da:04:60:44:61:9a:12:74:09:
         bd:f7:60:e4:42:fb:96:df:3f:d6:2f:e4:b4:79:97:95:01:44:
         3c:1a:22:a8:d5:dd:54:54:13:cc:a2:b7:07:48:dc:d9:91:12:
         51:ea:6f:83:c4:6b:46:ea:ea:55:20:a4:a4:f4:63:ee:3e:de:
         72:af:d7:d3:55:bd:f4:21:d2:86:ca:1b:cb:79:48:53:33:f1:
         4c:19:c2:1d:5c:5f:bf:4b:5b:f4:5f:2d:fe:d4:20:03:c4:96:
         7d:1d:44:66:63:59:c5:2c:78:35:c0:da:35:fc:06:49:59:8a:
         ba:28:a0:33:6d:a9:eb:c3:c9:c0:10:aa:31:7a:bf:51:d7:c3:
         81:3c:77:a0:25:b5:55:4a:40:44:06:5d:b7:7d:dc:31:58:93:
         02:d6:1c:42:1b:67:8b:31:a2:6f:c6:45:5e:52:b3:35:aa:d7:
         f1:06:23:4a:41:4b:09:17:91:1f:c6:16:c1:ea:5e:a4:00:a9:
         68:98:16:96:d3:cd:03:21:bb:27:83:ea:b2:8e:77:a9:4d:e5:
         16:89:8b:f0:65:2a:96:af:cf:1f:fe:a9:b6:7b:71:38:0f:50:
         6d:f5:a0:46:ce:6e:fa:bf
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            43:5a:5a:dc:0f:03:a5:dc:3a:54:30:1f:14:39:c5:de:e9:18:c3:2d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, O=CA, CN=RCA
        Validity
            Not Before: May 27 01:57:18 2022 GMT
            Not After : May 23 01:57:18 2037 GMT
        Subject: C=JP, ST=Tokyo, O=CA, CN=SCA01
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ce:c0:ea:15:84:2f:f1:90:db:52:2d:2b:19:56:
                    9e:ef:bd:bb:e9:54:18:17:9e:f9:de:57:d5:2d:48:
                    21:64:4f:cd:0f:62:c2:45:81:52:fb:22:71:84:39:
                    e6:62:47:d2:05:73:4e:87:a1:bc:4c:de:83:b0:7f:
                    97:0b:ec:4b:43:15:e6:d0:ba:b5:b7:92:8a:e5:ca:
                    5c:f1:52:b1:3d:4b:b4:f4:91:e4:a8:47:e3:9b:17:
                    0f:ca:51:72:40:10:1c:1d:6f:fe:d9:a2:0d:0c:c6:
                    8d:1f:7c:6b:98:d4:4d:2d:36:48:bc:1c:62:b3:fa:
                    4f:cf:2c:af:6c:bd:1d:27:08:04:49:76:1c:06:e6:
                    cb:4e:df:21:7d:5f:ed:2c:de:91:f6:7a:4c:3b:06:
                    55:3c:90:1a:d1:3f:44:4e:23:31:9b:5a:41:46:af:
                    87:a2:7c:bb:bf:df:64:f1:e8:32:b8:82:99:3e:61:
                    85:17:87:9b:4c:30:fd:16:47:f0:49:ed:50:d9:71:
                    c2:5d:05:4d:4a:f8:27:f4:73:e8:49:23:9f:9e:a6:
                    d0:49:7c:bf:48:91:82:7d:cc:1b:49:db:31:65:e7:
                    2a:71:c3:f8:97:0a:3a:7c:cd:c1:06:0f:1a:25:a2:
                    1a:44:26:ac:6e:e3:71:d4:43:bf:0a:6f:87:55:40:
                    dc:15:c1:b5:e0:0c:67:0a:21:db:c4:af:04:52:b4:
                    5f:80:41:e7:fc:7a:d9:e9:ac:57:fc:59:47:62:68:
                    0e:ca:53:89:55:8b:80:ac:30:af:c8:4d:9e:6c:e1:
                    4f:7f:ed:ce:d0:51:c8:f7:d1:06:ca:cc:be:c0:a2:
                    17:fb:9c:ae:f7:92:53:a3:80:e3:fe:2a:6f:52:16:
                    f8:83:50:53:3e:f2:4e:86:f6:7a:6f:3e:09:4d:56:
                    73:a4:af:c9:a7:b2:97:21:34:84:f0:72:e4:41:dd:
                    4a:cb:61:9d:28:ab:bc:58:1b:77:7e:db:68:e1:a3:
                    c6:a8:8e:c0:14:8f:2a:0d:06:f6:1e:8c:5b:79:a7:
                    c9:86:a5:3b:60:8e:ea:7d:15:1c:e9:a2:68:52:b7:
                    28:2a:16:72:db:78:75:cb:d7:ad:50:7f:8e:11:a9:
                    d9:f4:9a:fb:95:07:f1:ba:36:8f:fe:17:34:eb:b3:
                    00:af:d5:c6:f0:87:a5:39:9a:7a:ac:9c:ba:34:9e:
                    83:c7:30:d5:d7:d1:f1:ef:b4:d0:18:b5:54:19:95:
                    c3:95:e5:a2:66:39:df:2f:c4:f3:ae:fe:02:84:b9:
                    c2:9b:a0:18:27:71:59:6e:56:54:8f:9b:ff:d7:cb:
                    d1:78:d7:bc:ad:08:57:86:89:65:2b:fe:e2:62:bf:
                    95:90:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                99:45:18:55:A2:DE:5A:1D:D5:A4:76:25:B4:C3:3D:56:71:FD:9D:3E
            X509v3 Authority Key Identifier: 
                keyid:37:3E:1B:49:3C:AE:71:72:21:3E:0F:57:A9:72:B9:36:7D:00:EE:BE

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www1.example.com/RCAcrl.crl

            Authority Information Access: 
                CA Issuers - URI:http://www1.example.com/RCA.crt

    Signature Algorithm: sha256WithRSAEncryption
         59:dc:21:53:bd:40:fa:df:a6:b6:9d:76:51:dd:09:52:13:6a:
         34:34:55:31:e5:0d:76:2b:2c:eb:e3:c3:dc:a3:86:1d:38:6d:
         fc:c6:43:8e:18:b2:11:b2:ed:ea:72:65:e0:e8:7d:41:9d:f5:
         be:71:d1:e8:cc:d5:f5:87:6b:e5:c2:d7:57:b0:23:e8:61:94:
         3f:63:db:7c:86:08:ae:87:5a:95:c6:5a:60:bd:41:ae:3e:99:
         3a:5e:aa:d1:ac:7c:86:67:0b:a4:2b:a3:49:0a:d0:2f:2f:37:
         a2:30:7f:49:c8:96:f4:92:96:b8:0f:eb:6f:e3:65:de:82:f3:
         27:87:73:d0:1f:b9:aa:47:65:9f:a0:09:fe:9b:91:d6:4a:dc:
         76:6e:25:3f:52:4c:d6:6b:08:0a:84:26:6e:6f:65:81:ef:0b:
         71:34:4f:0a:62:86:66:99:59:0a:fd:87:e8:42:a7:ac:2d:dc:
         ec:4a:b2:26:6b:7d:74:da:95:fa:ea:da:13:b7:ae:f5:c6:08:
         ca:86:3d:c3:e8:31:eb:c8:af:f0:d8:1a:31:88:32:8a:22:7a:
         27:04:44:6c:af:6c:8b:bb:cb:f0:15:fe:a1:59:51:c9:0c:6c:
         46:ba:2a:26:d3:0a:c9:d8:63:14:97:ad:67:03:f7:0a:13:8f:
         28:6e:12:ab:64:56:55:7e:52:44:3c:cc:4a:8e:45:61:56:ce:
         0b:fe:16:70:a4:38:6d:c4:5b:14:5c:24:3d:66:57:e0:67:14:
         44:64:a9:4c:d6:ad:a3:ef:a8:aa:0a:02:c1:41:0b:09:6a:0f:
         2e:a9:5e:8c:cc:26:1e:0d:58:1a:2e:8e:8a:83:3c:57:32:5e:
         5f:f4:d4:4e:ca:57:32:dc:36:52:52:0f:d5:01:aa:8b:ef:a5:
         fa:41:d0:ed:96:55:c0:e6:c2:4c:8b:a5:31:be:57:4a:da:89:
         62:66:9a:02:00:c1:74:c8:5a:b0:6b:4e:03:81:0c:34:76:a8:
         de:27:ef:03:0e:51:73:af:0c:dd:1e:0a:5f:e2:14:1a:7a:36:
         ba:0e:61:dc:90:48:a9:38:e9:f4:5a:4b:c7:87:1b:9f:e5:33:
         84:df:bd:2d:9d:15:51:4a:11:f8:9f:3b:be:a4:5b:cf:5f:8f:
         02:2f:05:eb:63:d6:17:2e:c6:49:ee:7a:e0:5e:26:97:75:0e:
         5c:59:7d:a2:27:5a:c2:a2:4c:3d:0c:3d:ce:1d:34:95:51:39:
         47:bf:53:2d:0b:cc:8d:49:4f:68:eb:5f:ce:6c:f1:15:46:17:
         32:f5:3c:ff:da:d7:06:6f:c6:ae:ce:17:9e:09:62:07:3a:55:
         c2:c4:20:be:d1:e8:c2:28
-----BEGIN CERTIFICATE-----
MIIF1zCCA7+gAwIBAgIUQ1pa3A8Dpdw6VDAfFDnF3ukYwy0wDQYJKoZIhvcNAQEL
BQAwODELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEM
MAoGA1UEAwwDUkNBMB4XDTIyMDUyNzAxNTcxOFoXDTM3MDUyMzAxNTcxOFowOjEL
MAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEOMAwGA1UE
AwwFU0NBMDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOwOoVhC/x
kNtSLSsZVp7vvbvpVBgXnvneV9UtSCFkT80PYsJFgVL7InGEOeZiR9IFc06HobxM
3oOwf5cL7EtDFebQurW3korlylzxUrE9S7T0keSoR+ObFw/KUXJAEBwdb/7Zog0M
xo0ffGuY1E0tNki8HGKz+k/PLK9svR0nCARJdhwG5stO3yF9X+0s3pH2ekw7BlU8
kBrRP0ROIzGbWkFGr4eifLu/32Tx6DK4gpk+YYUXh5tMMP0WR/BJ7VDZccJdBU1K
+Cf0c+hJI5+eptBJfL9IkYJ9zBtJ2zFl5ypxw/iXCjp8zcEGDxolohpEJqxu43HU
Q78Kb4dVQNwVwbXgDGcKIdvErwRStF+AQef8etnprFf8WUdiaA7KU4lVi4CsMK/I
TZ5s4U9/7c7QUcj30QbKzL7Aohf7nK73klOjgOP+Km9SFviDUFM+8k6G9npvPglN
VnOkr8mnspchNITwcuRB3UrLYZ0oq7xYG3d+22jho8aojsAUjyoNBvYejFt5p8mG
pTtgjup9FRzpomhStygqFnLbeHXL161Qf44Rqdn0mvuVB/G6No/+FzTrswCv1cbw
h6U5mnqsnLo0noPHMNXX0fHvtNAYtVQZlcOV5aJmOd8vxPOu/gKEucKboBgncVlu
VlSPm//Xy9F417ytCFeGiWUr/uJiv5WQOQIDAQABo4HWMIHTMB0GA1UdDgQWBBSZ
RRhVot5aHdWkdiW0wz1Wcf2dPjAfBgNVHSMEGDAWgBQ3PhtJPK5xciE+D1epcrk2
fQDuvjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAq
MCigJqAkhiJodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9SQ0FjcmwuY3JsMDsGCCsG
AQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL3d3dzEuZXhhbXBsZS5jb20v
UkNBLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAWdwhU71A+t+mtp12Ud0JUhNqNDRV
MeUNdiss6+PD3KOGHTht/MZDjhiyEbLt6nJl4Oh9QZ31vnHR6MzV9Ydr5cLXV7Aj
6GGUP2PbfIYIrodalcZaYL1Brj6ZOl6q0ax8hmcLpCujSQrQLy83ojB/SciW9JKW
uA/rb+Nl3oLzJ4dz0B+5qkdln6AJ/puR1krcdm4lP1JM1msICoQmbm9lge8LcTRP
CmKGZplZCv2H6EKnrC3c7EqyJmt9dNqV+uraE7eu9cYIyoY9w+gx68iv8NgaMYgy
iiJ6JwREbK9si7vL8BX+oVlRyQxsRroqJtMKydhjFJetZwP3ChOPKG4Sq2RWVX5S
RDzMSo5FYVbOC/4WcKQ4bcRbFFwkPWZX4GcURGSpTNato++oqgoCwUELCWoPLqle
jMwmHg1YGi6OioM8VzJeX/TUTspXMtw2UlIP1QGqi++l+kHQ7ZZVwObCTIulMb5X
StqJYmaaAgDBdMhasGtOA4EMNHao3ifvAw5Rc68M3R4KX+IUGno2ug5h3JBIqTjp
9FpLx4cbn+UzhN+9LZ0VUUoR+J87vqRbz1+PAi8F62PWFy7GSe564F4ml3UOXFl9
oidawqJMPQw9zh00lVE5R79TLQvMjUlPaOtfzmzxFUYXMvU8/9rXBm/Grs4Xngli
BzpVwsQgvtHowig=
-----END CERTIFICATE-----
Response verify OK
0x73ff7b6e99e146f8674bdb72c65319e5f43a4085: revoked
	This Update: Jun  9 22:50:29 2022 GMT
	Next Update: Jun 16 22:50:29 2022 GMT
	Reason: superseded
	Revocation Time: May 27 23:26:27 2022 GMT

(例)
EE証明書(ee.cer)、中間CA証明書(ica.cer)、ルートCA証明書(rca.cer)をファイル保存する。

openssl s_client -showcerts -connect www.google.com:443

上から順に赤字の部分をコピーしてテキストファイルに貼り付けて保存する。
EE証明書(ee.cer)、中間CA証明書(ica.cer)、ルートCA証明書(rca.cer)の順番になっている。

openssl s_client -showcerts -connect www.google.com:443
CONNECTED(000001D8)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WR2
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
 0 s:CN = www.google.com
   i:C = US, O = Google Trust Services, CN = WR2
-----BEGIN CERTIFICATE-----
MIIEVzCCAz+gAwIBAgIRAIqsaBCWH6ZQEKoBk/n97LUwDQYJKoZIhvcNAQELBQAw
OzELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEM
MAoGA1UEAxMDV1IyMB4XDTI0MDYxMzE2MzYxMFoXDTI0MDkwNTE2MzYwOVowGTEX
MBUGA1UEAxMOd3d3Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AASzwPkkuZT4PPFgs05Jg8aq/OC8uvz04joHeDtY2qte3Tmy/LquWRvnCge545pE
WHvAxtpwY4bhcaj5SuW+c5Pco4ICQTCCAj0wDgYDVR0PAQH/BAQDAgeAMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKfXg0H+37Xh
MsEQ2PSCM6wR6wctMB8GA1UdIwQYMBaAFN4bHu15FdQ+NyTDIbvsNDltQrIwMFgG
CCsGAQUFBwEBBEwwSjAhBggrBgEFBQcwAYYVaHR0cDovL28ucGtpLmdvb2cvd3Iy
MCUGCCsGAQUFBzAChhlodHRwOi8vaS5wa2kuZ29vZy93cjIuY3J0MBkGA1UdEQQS
MBCCDnd3dy5nb29nbGUuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMDYGA1UdHwQv
MC0wK6ApoCeGJWh0dHA6Ly9jLnBraS5nb29nL3dyMi9vUTZueXI4RjBtMC5jcmww
ggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQDuzdBk1dsazsVct520zROiModGfLzs
3sNRSFlGcR+1mwAAAZASq96AAAAEAwBGMEQCIF0BgHtwtoqA6X18zVH6sYYyyhni
cXBDQgA9wfvq5kPgAiBcHdmtOY6nbbsy3GWEP4sfv1h/DEPvBVzMpv3gpStbqAB3
ABmYEHEJ8NZSLjCA0p4/ZLuDbijM+Q9Sju7fzko/FrTKAAABkBKr320AAAQDAEgw
RgIhAPEBlTmc8mrI2oSakd7k9MKLX6RyHoSsxk8D34M5WqEEAiEA7kc1n9FYz3S7
qR+sHO2f9iDusdyTw0yA7uWAJWTPvyIwDQYJKoZIhvcNAQELBQADggEBAID3ckhU
DZKjJ9AoC5C+hozFh1x9AQIAFC0QzsST0bBk4ebxr9+TMfY7ZY+ky/azqtzAACrN
r/FDm7ZEMc8DC7VhU0O9fxIJZ8YvuJIlZhHmHdblQG4iOGoX6nUWw8sLroD3F72Q
5bCcwY+6+EWEQls/FTOITLAO3Oy+f/d7mzdwH8fYQ06ZMifjZWopD4CTHZkwG1P2
jRgVQo035fPqpE0ntHYxgda4mCG40c8Ayq3oeu5sV32FsUmRqF0ph6Ved7VcAknp
D8wj7FTuyGpo/JdNZYivMrluppafDreKfcHLBIhxK23fQIhvLwxdamzFnAnMh5mS
Qnb3r1lsDR4GUAs=
-----END CERTIFICATE-----
 1 s:C = US, O = Google Trust Services, CN = WR2
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
-----BEGIN CERTIFICATE-----
MIIFCzCCAvOgAwIBAgIQf/AFoHxM3tEArZ1mpRB7mDANBgkqhkiG9w0BAQsFADBH
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjMxMjEzMDkwMDAwWhcNMjkwMjIw
MTQwMDAwWjA7MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNl
cnZpY2VzMQwwCgYDVQQDEwNXUjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCp/5x/RR5wqFOfytnlDd5GV1d9vI+aWqxG8YSau5HbyfsvAfuSCQAWXqAc
+MGr+XgvSszYhaLYWTwO0xj7sfUkDSbutltkdnwUxy96zqhMt/TZCPzfhyM1IKji
aeKMTj+xWfpgoh6zySBTGYLKNlNtYE3pAJH8do1cCA8Kwtzxc2vFE24KT3rC8gIc
LrRjg9ox9i11MLL7q8Ju26nADrn5Z9TDJVd06wW06Y613ijNzHoU5HEDy01hLmFX
xRmpC5iEGuh5KdmyjS//V2pm4M6rlagplmNwEmceOuHbsCFx13ye/aoXbv4r+zgX
FNFmp6+atXDMyGOBOozAKql2N87jAgMBAAGjgf4wgfswDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBTeGx7teRXUPjckwyG77DQ5bUKyMDAfBgNVHSMEGDAWgBTk
rysmcRorSCeFL1JmLO/wiRNxPjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAKG
GGh0dHA6Ly9pLnBraS5nb29nL3IxLmNydDArBgNVHR8EJDAiMCCgHqAchhpodHRw
Oi8vYy5wa2kuZ29vZy9yL3IxLmNybDATBgNVHSAEDDAKMAgGBmeBDAECATANBgkq
hkiG9w0BAQsFAAOCAgEARXWL5R87RBOWGqtY8TXJbz3S0DNKhjO6V1FP7sQ02hYS
TL8Tnw3UVOlIecAwPJQl8hr0ujKUtjNyC4XuCRElNJThb0Lbgpt7fyqaqf9/qdLe
SiDLs/sDA7j4BwXaWZIvGEaYzq9yviQmsR4ATb0IrZNBRAq7x9UBhb+TV+PfdBJT
DhEl05vc3ssnbrPCuTNiOcLgNeFbpwkuGcuRKnZc8d/KI4RApW//mkHgte8y0YWu
ryUJ8GLFbsLIbjL9uNrizkqRSvOFVU6xddZIMy9vhNkSXJ/UcZhjJY1pXAprffJB
vei7j+Qi151lRehMCofa6WBmiA4fx+FOVsV2/7R6V2nyAiIJJkEd2nSi5SnzxJrl
Xdaqev3htytmOPvoKWa676ATL/hzfvDaQBEcXd2Ppvy+275W+DKcH0FBbX62xevG
iza3F4ydzxl6NJ8hk8R+dDXSqv1MbRT1ybB5W0k8878XSOjvmiYTDIfyc9acxVJr
Y/cykHipa+te1pOhv7wYPYtZ9orGBV5SGOJm4NrB3K1aJar0RfzxC3ikr7Dyc6Qw
qDTBU39CluVIQeuQRgwG3MuSxl7zRERDRilGoKb8uY45JzmxWuKxrfwT/478JuHU
/oTxUFqOl2stKnn7QGTq8z29W+GgBLCXSBxC9epaHM0myFH/FJlniXJfHeytWt0=
-----END CERTIFICATE-----
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = www.google.com

issuer=C = US, O = Google Trust Services, CN = WR2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4106 bytes and written 396 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0

EE証明書(ee.cer)からOCSP URLを調べる。

C:\X509> openssl x509 -in .\ee.cer -text
Certificate:
    Data:
  (省略)
            Authority Information Access:
                OCSP - URI:http://o.pki.goog/wr2

OCSP問い合わせ

C:\X509> openssl ocsp -sha1 -no_nonce -CAfile rca.cer -issuer ica.cer -cert ee.cer -url http://o.pki.goog/wr2
Response verify OK
ee.cer: good
        This Update: Jun 29 18:40:50 2024 GMT
        Next Update: Jul  6 17:40:49 2024 GMT

シリアルナンバーから問い合わせ

openssl ocsp -sha1 -no_nonce -CAfile [ルート証明書PEMファイル名.cer] -issuer [中間CA証明書PEMファイル名.cer] -serial [シリアルナンバー] -url [HTTPから始まるOCSPレスポンダーURL]

[シリアルナンバー]は、16進数表記の場合、以下のようになる。
0x73ff7b6e99e146f8674bdb72c65319e5f43a4085

help

openssl help
Standard commands
asn1parse         ca                ciphers           cms
crl               crl2pkcs7         dgst              dhparam
dsa               dsaparam          ec                ecparam
enc               engine            errstr            gendsa
genpkey           genrsa            help              list
nseq              ocsp              passwd            pkcs12
pkcs7             pkcs8             pkey              pkeyparam
pkeyutl           prime             rand              rehash
req               rsa               rsautl            s_client
s_server          s_time            sess_id           smime
speed             spkac             srp               storeutl
ts                verify            version           x509

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        gost              md4
md5               mdc2              rmd160            sha1
sha224            sha256            sha3-224          sha3-256
sha3-384          sha3-512          sha384            sha512
sha512-224        sha512-256        shake128          shake256
sm3

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
idea              idea-cbc          idea-cfb          idea-ecb
idea-ofb          rc2               rc2-40-cbc        rc2-64-cbc
rc2-cbc           rc2-cfb           rc2-ecb           rc2-ofb
rc4               rc4-40            seed              seed-cbc
seed-cfb          seed-ecb          seed-ofb          sm4-cbc
sm4-cfb           sm4-ctr           sm4-ecb           sm4-ofb

参考

OpenSSL commands – OpenSSL Documentation

タイトルとURLをコピーしました