Skip to main content

certinfo.py

Display information in a certificate file using the certinfo.py script in FairCom Certificate Manager

Abstract

Display information in a certificate file using the certinfo.py script in FairCom certificate manager

Displays certificate and private key information in a PEM file.

Easy

Run the Python script certinfo.py without command-line arguments, and it will prompt you for the following information:

  • File name of the file containing PEM or PKCS12 data.

  • Optional password of an encrypted private key in the file.

Welcome to FairCom's Certificate Information Program

Enter the location of the file to inspect (or 'x' to exit): __________

Key #: 1
  Private key modulus hash: 969db60634c9a482bd3e9095f210cd5a5df76c530f9b1ed1e5ef2a85
  Private key bits: 4096

Certificate #: 2
  Private key modulus hash: 969db60634c9a482bd3e9095f210cd5a5df76c530f9b1ed1e5ef2a85
  Public key bits: 4096
  Subject:
    C: US
    CN: adamh-dt-2019
    L: Sandy
    O: FairCom
    ST: Utah
  Issuer:
    C: US
    CN: FairCom Private Certificate Authority
    L: Sandy
    O: FairCom
    ST: Utah
  Serial Number: 20231004152528002138000000001
  Valid From (UTC): 2023-09-05 16:11:47
  Valid Until (UTC): 2033-10-05 02:11:47
  Public key algorithm: sha256
  TLS Version.v3
  Extension information:
    Extension name: Subject Alternative Name
      Critical: False
      DNSName: MyPC
      DNSName: mypc.faircom.com
      IPAddress: 10.250.250.42
      IPAddress: 127.0.0.1
      DNSName: localhost
    Extension name: Basic Constraints
      Critical: True
      CA: False
    Extension name: Key Usage
      Critical: True
      Digital signature: True
      Key encipherment: True
    Extension name: Extended Key Usage
      Critical: True
      Extended key uses:
        Server auth

Press ENTER to exit

Advanced

Run the Python script certinfo.py with command-line parameters:

python certinfo.py "/certificates/myCertificate.pem"

Command-line options

usage: certinfo.py [-h]

Welcome to FairCom's Certificate Information Program

This program optionally takes one parameter: the full path to the file to inspect. 
For example:
  python certinfo.py /certificates/myCertificate.pem

PKCS12 file format

When running certinfo against a PKCS12 (.p12) file, the program will show three sections: the primary key, the primary certificate, and any additional certificates. The additional certificates are sometimes included to provide the complete trust chain for a certificate.

When client certificates are created using FairCom's createClientCert.py program, by default it will output the client certificate and key in a single PEM encoded file. It will additionally create a PKCS12 file that contains the client key, the client certificate, and the CA certificate which signed the client certificate.

Here is an example output from certinfo run against one of those files:

Welcome to FairCom's Certificate Information Program
For help, run this program with the '-h' option.
Enter the location of the file to inspect (or 'x' to exit): 
D:\temp\CertificateManagement\Certs\Expires_On_2028-11-08\adminClient.p12
Opening 
D:\temp\CertificateManagement\Certs\Expires_On_2028-11-08\adminClient.p12
 D:\temp\CertificateManagement\Certs\Expires_On_2028-11-08\adminClient.p12 is 
in PKCS12 format.

Primary key:
  Private key modulus hash: 
41bd90391a0c2209a68950869d3947e8cad57c52c138e11323b48b31
  Private key bits: 4096

Primary certificate:
  Public key modulus hash: 
41bd90391a0c2209a68950869d3947e8cad57c52c138e11323b48b31
  Public key bits: 4096
  Subject:
    C: US
    CN: admin
    Email: adam.howell@gmail.com
    L: Sandy
    O: FairCom
    OU: QA
    ST: Utah
  Issuer:
    CN: FairCom Private Certificate Authority
    O: FairCom  Serial Number: 20240910170041678704000000011
  Valid From (UTC): 2024-09-10 23:00:42+00:00
  Valid Until (UTC): 2028-11-08 19:59:59+00:00
  Public key algorithm: sha256
  TLS Version.v3
  Extension information:
    Extension name: Basic Constraints
      Critical: True
      CA: False
    Extension name: Key Usage
      Critical: True
      Digital signature: True
      Key encipherment: True
      Key agreement: True
    Extension name: Extended Key Usage
      Critical: False
      Extended key uses:
        Client authentication
    Extension name: Subject Alternative Name
      Critical: False
      RFC822Name: adam.howell@faircom.com
    Extension name: Subject Key Identifier
      Critical: False
      Digest: b810ac7e42ccbcd6c127931a1ad43081f9d50c24
    Extension name: Authority Key Identifier
      Critical: False
      Authority key identifier:
        Key identifier: 275634e2cb7800985e669053e8804ca72d07b84c
        Public bytes: 30168014275634e2cb7800985e669053e8804ca72d07b84c

Additional certificate #1:
  Public key modulus hash: 
638728346db4565a794f52f1a9ccdf1e09dcda6ce32f13caaf81e11c
  Public key bits: 4096
  Subject:
    CN: FairCom Private Certificate Authority
    O: FairCom
  Issuer:
    CN: FairCom Private Certificate Authority
    O: FairCom
  Self-signed
  Serial Number: 20240910165904346719000000010
  Valid From (UTC): 2024-09-10 22:59:06+00:00
  Valid Until (UTC): 2034-09-07 23:59:59+00:00
  Public key algorithm: sha256
  TLS Version.v3
  Extension information:
    Extension name: Subject Key Identifier
      Critical: False
      Digest: 275634e2cb7800985e669053e8804ca72d07b84c
    Extension name: Authority Key Identifier
      Critical: False
      Authority key identifier:
        Key identifier: 275634e2cb7800985e669053e8804ca72d07b84c
        Public bytes: 30168014275634e2cb7800985e669053e8804ca72d07b84c
    Extension name: Basic Constraints
      Critical: True
      CA: True
    Extension name: Key Usage
      Critical: True
      Key cert sign: True
      Crl sign: True

Certificate serial # 20240910165904346719000000010 signed certificate serial # 20240910170041678704000000011.

Essential information

  • This script shows information about keys and certificates. Because it is common for multiple keys and certificates to be included inside a single file, this script attempts to find every block of cryptographic data, parse that block, and display information about it.

  • You can also use the OpenSSL CLI to inspect certificates:

    openssl x509 -noout -text -in ca.crt

    • The OpenSSL command displays additional information that you might find useful:

      • Version: 3 (0x2)

        This line shows that the certificate is TLS version 1.3.

      • Subject: C=US, ST=Missouri, L=Columbia,
O=FairCom, OU=IT, CN=FairCom
Private Certificate Authority

        This line shows the information you entered at the prompts.

      • Public Key Algorithm: rsaEncryption

        This line shows that the key was created using the RSA algorithm.

      • Public-Key: (4096 bit)

        This line shows that the key was created using 4096 bits of entropy.

      • X509v3 extensions:
  X509v3 Basic Constraints: critical
    CA: TRUE, pathlen:0
  X509v3 Key Usage: critical
      Certificate Sign, CRL Sign

        These lines show that the certificate was created to be a CA key pair and that the roles it is meant for are signing certificates and signing Certificate Revocation Lists (CRLs).