Cert Decode

Parse and display human-readable details from X.509 PEM certificates using openssl.

Input

• PEM certificate content (text starting with -----BEGIN CERTIFICATE-----) pasted directly, OR
• Path to a .pem or .crt file, OR
• Hostname to fetch the live certificate from (e.g., example.com)

Output

• Subject (CN, O, OU, C)
• Issuer (CA name, organization)
• Validity: Not Before / Not After (expiry date)
• Serial number
• Subject Alternative Names (SANs)
• Public key algorithm and size
• Signature algorithm
• Whether the cert is expired or expiring soon

Instructions

1. Determine input type: pasted PEM text, file path, or hostname.

2. From pasted PEM text: Write the PEM content to a temp file, then:

   echo "PEM_CONTENT" | openssl x509 -text -noout
   

   Or use process substitution if available.

3. From a file path:

   openssl x509 -text -noout -in /path/to/cert.pem
   

4. From a live hostname (port 443):

   echo | openssl s_client -connect HOSTNAME:443 -servername HOSTNAME 2>/dev/null | openssl x509 -text -noout
   

5. Extract and present key fields from the openssl x509 -text output in a clean, readable format:

   • Subject: parse Subject: line
   • Issuer: parse Issuer: line
   • Valid From: parse Not Before:
   • Valid Until: parse Not After :
   • Serial: parse Serial Number:
   • SANs: parse X509v3 Subject Alternative Name: block for all DNS: and IP Address: entries
   • Key: parse Public Key Algorithm: and key size (e.g., RSA Public-Key: (2048 bit))
   • Signature Algorithm: parse Signature Algorithm:

6. Calculate whether the certificate is:

   • Already expired (Not After is in the past)
   • Expiring within 30 days (warn the user)
   • Valid (show days remaining)

7. If openssl is not found, tell the user:

   "This skill requires openssl. Install with: brew install openssl (macOS) or sudo apt install openssl (Linux)."

Examples

From file: Command: openssl x509 -text -noout -in /etc/ssl/cert.pem

From hostname: Command: echo | openssl s_client -connect github.com:443 -servername github.com 2>/dev/null | openssl x509 -text -noout

Sample parsed output:

Subject:    CN=github.com, O=GitHub, Inc., C=US
Issuer:     CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1, O=DigiCert Inc, C=US
Valid From: 2024-03-07
Valid Until: 2025-03-06  ⚠ Expires in 14 days
Serial:     0a:bc:12:...
SANs:       github.com, www.github.com
Key:        EC 256-bit (prime256v1)
Signature:  ecdsa-with-SHA384

Error Handling

• openssl not found → tell user to install it
• Input is not valid PEM → openssl will error with unable to load certificate; tell user the input does not appear to be a valid PEM certificate
• Hostname unreachable → openssl s_client will fail; report connection error and suggest checking the hostname or network
• DER format instead of PEM → tell user to convert first with: openssl x509 -inform DER -in cert.der -out cert.pem
• Certificate chain (multiple certs) → only the first cert is parsed; inform user if they need a specific cert from the chain