I have started taking Ed Harmoush’s Practical TLS course to learn more about TLS and certificates. When learning about TLS, you want to inspect different certificates to see the various fields and see how different organizations use certificates differently. As always, Linux comes with a great set of tools to work with certificates in the form of OpenSSL. In this post, I will show how to download a certificate and discuss some of the fields that are present in the certificate.
To get the certificate, we will use openssl with s_client and connect to a web site. I’m using twitter.com in this example:
openssl s_client -connect twitter.com:443 CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com verify return:1 --- Certificate chain 0 s:C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com i:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFazCCBPKgAwIBAgIQApPDmMLPSme+g7U3VNqTeTAKBggqhkjOPQQDAzBWMQsw CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjIwMzA3MDAw MDAwWhcNMjMwMzA2MjM1OTU5WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEWMBQGA1UEChMNVHdpdHRl ciwgSW5jLjEUMBIGA1UEAxMLdHdpdHRlci5jb20wWTATBgcqhkjOPQIBBggqhkjO PQMBBwNCAAR45SH/I15fFxhdMTC+z7QG3NUBnLwye4M89+7FBmazTprXzLBrFL6w iszjJo6ZbvjHH+Anr7EloiOmyCd6CcT7o4IDjjCCA4owHwYDVR0jBBgwFoAUCrwI KReMpTlteg7OM8cus+37w3owHQYDVR0OBBYEFCMuApYaSTouUoRg0NPAcgqPUzQo MCcGA1UdEQQgMB6CC3R3aXR0ZXIuY29tgg93d3cudHdpdHRlci5jb20wDgYDVR0P AQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmwYDVR0f BIGTMIGQMEagRKBChkBodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU TFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0ExLTEuY3JsMEagRKBChkBodHRwOi8vY3Js NC5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0Ex LTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBhQYIKwYBBQUHAQEEeTB3MCQGCCsGAQUF BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTwYIKwYBBQUHMAKGQ2h0dHA6 Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4 NDIwMjBDQTEtMS5jcnQwCQYDVR0TBAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIB aQFnAHYA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4AAAF/Zs9cUwAA BAMARzBFAiEAhfGjCOUeRm/kHVawNy3RJZ1YXMWS0hZSJDRTEOsMx20CIF6ogmQY N39TkR8C8E/h0J4TY1KxdiVbQvK0RrHN8FJVAHYANc8ZG7+xbFe/D61MbULLu7Yn ICZR6j/hKu+oA8M71kwAAAF/Zs9cIQAABAMARzBFAiA3tUnaT5aw8irIfAGSUCAg Z+yxrgDcwCdNsKL6NArnKQIhAJ0NRfSw48YnZ9WdyA0ld2gnZJAhp/226PdTbrDZ U9kCAHUAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAF/Zs9cQAAA BAMARjBEAiA0chFWolNwUo1A2KZysMp4g0fqWAnIlZOC1Hm/XxNrNgIgE/sjXAm9 f/CtJs3XChaF7R34cMvsKCyFrW0+ycbg7H0wCgYIKoZIzj0EAwMDZwAwZAIwQcD0 aUHKfljlai5ceovXBRkn0NRQb05OTYl0CKElutbSqnCnEJbxfsh1Snhwe7h8AjBi OdC/T3eT3A0QXmKu1Odkq+9U9vsBycfGBRFZiP/DCXWJXYcBki92Oxq+uwukNmA= -----END CERTIFICATE----- subject=C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2752 bytes and written 383 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
This provides us with some interesting information on issuer, cipher suite etc but the certificate itself is from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–. If we put this text in a text file, we can use openssl to provide us with more information:
daniel@devasc:~$ nano twitter_cert.crt daniel@devasc:~$ cat twitter_cert.crt -----BEGIN CERTIFICATE----- MIIFazCCBPKgAwIBAgIQApPDmMLPSme+g7U3VNqTeTAKBggqhkjOPQQDAzBWMQsw CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjIwMzA3MDAw MDAwWhcNMjMwMzA2MjM1OTU5WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEWMBQGA1UEChMNVHdpdHRl ciwgSW5jLjEUMBIGA1UEAxMLdHdpdHRlci5jb20wWTATBgcqhkjOPQIBBggqhkjO PQMBBwNCAAR45SH/I15fFxhdMTC+z7QG3NUBnLwye4M89+7FBmazTprXzLBrFL6w iszjJo6ZbvjHH+Anr7EloiOmyCd6CcT7o4IDjjCCA4owHwYDVR0jBBgwFoAUCrwI KReMpTlteg7OM8cus+37w3owHQYDVR0OBBYEFCMuApYaSTouUoRg0NPAcgqPUzQo MCcGA1UdEQQgMB6CC3R3aXR0ZXIuY29tgg93d3cudHdpdHRlci5jb20wDgYDVR0P AQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmwYDVR0f BIGTMIGQMEagRKBChkBodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU TFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0ExLTEuY3JsMEagRKBChkBodHRwOi8vY3Js NC5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0Ex LTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBhQYIKwYBBQUHAQEEeTB3MCQGCCsGAQUF BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTwYIKwYBBQUHMAKGQ2h0dHA6 Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4 NDIwMjBDQTEtMS5jcnQwCQYDVR0TBAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIB aQFnAHYA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4AAAF/Zs9cUwAA BAMARzBFAiEAhfGjCOUeRm/kHVawNy3RJZ1YXMWS0hZSJDRTEOsMx20CIF6ogmQY N39TkR8C8E/h0J4TY1KxdiVbQvK0RrHN8FJVAHYANc8ZG7+xbFe/D61MbULLu7Yn ICZR6j/hKu+oA8M71kwAAAF/Zs9cIQAABAMARzBFAiA3tUnaT5aw8irIfAGSUCAg Z+yxrgDcwCdNsKL6NArnKQIhAJ0NRfSw48YnZ9WdyA0ld2gnZJAhp/226PdTbrDZ U9kCAHUAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAF/Zs9cQAAA BAMARjBEAiA0chFWolNwUo1A2KZysMp4g0fqWAnIlZOC1Hm/XxNrNgIgE/sjXAm9 f/CtJs3XChaF7R34cMvsKCyFrW0+ycbg7H0wCgYIKoZIzj0EAwMDZwAwZAIwQcD0 aUHKfljlai5ceovXBRkn0NRQb05OTYl0CKElutbSqnCnEJbxfsh1Snhwe7h8AjBi OdC/T3eT3A0QXmKu1Odkq+9U9vsBycfGBRFZiP/DCXWJXYcBki92Oxq+uwukNmA= -----END CERTIFICATE-----
The text here is Base64 encoded so as a human we don’t understand what is in this certificate at all. We will use openssl to provide us with a more human readable format:
daniel@devasc:~$ openssl x509 -in twitter_cert.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:93:c3:98:c2:cf:4a:67:be:83:b5:37:54:da:93:79
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
Validity
Not Before: Mar 7 00:00:00 2022 GMT
Not After : Mar 6 23:59:59 2023 GMT
Subject: C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:78:e5:21:ff:23:5e:5f:17:18:5d:31:30:be:cf:
b4:06:dc:d5:01:9c:bc:32:7b:83:3c:f7:ee:c5:06:
66:b3:4e:9a:d7:cc:b0:6b:14:be:b0:8a:cc:e3:26:
8e:99:6e:f8:c7:1f:e0:27:af:b1:25:a2:23:a6:c8:
27:7a:09:c4:fb
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:0A:BC:08:29:17:8C:A5:39:6D:7A:0E:CE:33:C7:2E:B3:ED:FB:C3:7A
X509v3 Subject Key Identifier:
23:2E:02:96:1A:49:3A:2E:52:84:60:D0:D3:C0:72:0A:8F:53:34:28
X509v3 Subject Alternative Name:
DNS:twitter.com, DNS:www.twitter.com
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl
Full Name:
URI:http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
CPS: http://www.digicert.com/CPS
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt
X509v3 Basic Constraints:
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
Timestamp : Mar 7 23:55:39.987 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:85:F1:A3:08:E5:1E:46:6F:E4:1D:56:
B0:37:2D:D1:25:9D:58:5C:C5:92:D2:16:52:24:34:53:
10:EB:0C:C7:6D:02:20:5E:A8:82:64:18:37:7F:53:91:
1F:02:F0:4F:E1:D0:9E:13:63:52:B1:76:25:5B:42:F2:
B4:46:B1:CD:F0:52:55
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB:
B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C
Timestamp : Mar 7 23:55:39.937 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:37:B5:49:DA:4F:96:B0:F2:2A:C8:7C:01:
92:50:20:20:67:EC:B1:AE:00:DC:C0:27:4D:B0:A2:FA:
34:0A:E7:29:02:21:00:9D:0D:45:F4:B0:E3:C6:27:67:
D5:9D:C8:0D:25:77:68:27:64:90:21:A7:FD:B6:E8:F7:
53:6E:B0:D9:53:D9:02
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09:
4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A
Timestamp : Mar 7 23:55:39.968 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:34:72:11:56:A2:53:70:52:8D:40:D8:A6:
72:B0:CA:78:83:47:EA:58:09:C8:95:93:82:D4:79:BF:
5F:13:6B:36:02:20:13:FB:23:5C:09:BD:7F:F0:AD:26:
CD:D7:0A:16:85:ED:1D:F8:70:CB:EC:28:2C:85:AD:6D:
3E:C9:C6:E0:EC:7D
Signature Algorithm: ecdsa-with-SHA384
30:64:02:30:41:c0:f4:69:41:ca:7e:58:e5:6a:2e:5c:7a:8b:
d7:05:19:27:d0:d4:50:6f:4e:4e:4d:89:74:08:a1:25:ba:d6:
d2:aa:70:a7:10:96:f1:7e:c8:75:4a:78:70:7b:b8:7c:02:30:
62:39:d0:bf:4f:77:93:dc:0d:10:5e:62:ae:d4:e7:64:ab:ef:
54:f6:fb:01:c9:c7:c6:05:11:59:88:ff:c3:09:75:89:5d:87:
01:92:2f:76:3b:1a:be:bb:0b:a4:36:60
That’s a lot of information to take in. So let’s break it down into the various fields that are part of a certificate. Starting with the Version:
Version: 3 (0x2)
The version of the X509 certificate. Do not confuse this with TLS version 1.3 or similar. You will most likely only see version 3 when inspecting certificates which is the X509 version supporting extensions such as Subject Alternate Name (SAN) and others.
The next field is the Serial Number:
Serial Number:
02:93:c3:98:c2:cf:4a:67:be:83:b5:37:54:da:93:79
A up to 20-byte (160 bits) number (can be shorter) that uniquely identifies a certificate issued by a given Certificate Authority (CA). No two certificates issued from the same CA should have the same serial number. It’s possible for certificates generated by different CAs to have the same serial number, though. The serial number is used to check the validity of a certificate when making a request to a CA. For example to a Certificate Revocation List (CRL) or using Online Certificate Status Protocol (OCSP).
Then comes the Signature Algorithm:
Signature Algorithm: ecdsa-with-SHA384
The signature algorithm provides two pieces of information:
- The hashing algorithm used to provide a digest of the certificate data
- The asymmetric encryption algorithm that provided the public and private key
In the certificate above, SHA-384 was used to hash the certificate data to provide a digest. The Elliptic Curve Digital Signature Algorithm (ECDSA) was the algorithm that generated the public and private key. Elliptic curve encryption is often referred to as next generation encryption algorithms.
After that we have the Issuer:
Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
The Issuer tells us what CA issued the certificate. In this case, DigiCert issued the certificate and the Common Name (CN) shows what server signed the certificate.
The next field is Validity:
Validity
Not Before: Mar 7 00:00:00 2022 GMT
Not After : Mar 6 23:59:59 2023 GMT
This field is pretty self explanatory. The certificate is valid from 7th of March 2022 until 6th of March 2023 just before midnight. Back in the days people would get certificates that were valid for multiple years, maybe even 5 or 10 years in a set and forget fashion. That is now considered poor practice and most CAs will not issue certificates with a validity longer than 13 months. The trend is to have shorter and shorter validity and use automation tools to rotate certificates. One consideration here is that if your devices’ time is off by much, it can cause issues. For example, some device will boot up with clock set to something like 1990 which is obviously before the certificate became valid so it will then be considered invalid.
Then we have the Subject:
Subject: C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com
The Subject is what the certificate is identifying, in this case twitter.com. The CN here is twitter.com which is an exact match to twitter.com. Subdomains such as images.twitter.com or similar would not be identified by this CN. A wildcard would be needed for that such as *.twitter.com. However, the SAN field is the extra twist that we will review later. Keep in mind that browsers will compare the URL to what is in the SAN.
The next field is Public Key:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:78:e5:21:ff:23:5e:5f:17:18:5d:31:30:be:cf:
b4:06:dc:d5:01:9c:bc:32:7b:83:3c:f7:ee:c5:06:
66:b3:4e:9a:d7:cc:b0:6b:14:be:b0:8a:cc:e3:26:
8e:99:6e:f8:c7:1f:e0:27:af:b1:25:a2:23:a6:c8:
27:7a:09:c4:fb
ASN1 OID: prime256v1
NIST CURVE: P-256
What is the Public Key used for? The client, through the browser, need to generate symmetric session keys that are used to encrypt the data between the client and the server. The client uses the public key of the certificate to encrypt the information known as premaster secret that it sends to the server. This can only be decrypted with the private key of the server.
In the X509v3 extensions field we also have the SAN:
X509v3 Subject Alternative Name:
DNS:twitter.com, DNS:www.twitter.com
The SAN allows a certificate to be used for multiple names. A good example is the one above which allows the certificate to be used both for twitter.com and www.twitter.com. It can be used for more than that, though. Let’s go through the same process as we did for twitter.com with google.com and view the contents of its certificate. The first interesting thing we see is the Issuer:
Issuer: C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
Normally we would see issuers such as DigiCert, IdenTrust, Sectigo, Let’s Encrypt, GoDaddy etc. However, Google has their own Root CA and sign their own certificates.
Next, the Subject is also different compared to Twitter:
Subject: CN = *.google.com
Notice the use of the asterisk here (wild card). This means that any subdomain, such as images.google.com can be used. However, the domain google.com is not included here. But let’s take a look at the SAN…
X509v3 Subject Alternative Name:
DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.datacompute.google.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic-cn.com, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecnapps.cn, DNS:googledownloads.cn, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:recaptcha-cn.net, DNS:*.recaptcha-cn.net, DNS:widevine.cn, DNS:*.widevine.cn, DNS:ampproject.org.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.ampproject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:googleadservices-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleoptimize-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubleclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:doubleclick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-cn.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager-cn.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safeframe.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measurement-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com, DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.googleflights-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:*.gstatic.com, DNS:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com, DNS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn, DNS:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:*.googlecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:youtubeeducation.com, DNS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be, DNS:*.yt.be, DNS:android.clients.google.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:source.android.google.cn
Wow! That’s a lot. It seems pretty much any Google service and domain is included in here, including google.com. Using a certificate for so many domains and services does of course come with considerations for security, blast radius etc., but it would be a fair assumption that Google probably know what they are doing.
I hope this post has been informative and that you have learned how easy it is to use openssl library to view certificates.
01. use “echo QUIT | openssl s_client” so do do nit have to Ctrl-C
02. with using “2>/dev/null” (s_client) you get rid of “CONNECTED(00000003) …”
03. show SAN with newer openssl Versions
“openssl x509 -noout -ext subjectAltName …”