When working with UCC (Unified Communications Certificates) or SAN (Subject Alternative Name) certificates, you often need to programmatically extract the list of covered domains. This is particularly useful for:
- Certificate management automation
- Security audits
- Monitoring certificate coverage
- CI/CD pipeline integration
The most reliable way to extract SAN domains is using OpenSSL:
openssl x509 -in certificate.crt -noout -text | grep -A 1 "Subject Alternative Name"For a more refined output that only shows domains:
openssl x509 -in certificate.crt -noout -text | grep -oP 'DNS:\K[^,]*'Here's a Python script to extract SAN domains:
import OpenSSL.crypto
def get_san_domains(cert_path):
with open(cert_path, 'rb') as f:
cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, f.read())
extensions = (cert.get_extension(i) for i in range(cert.get_extension_count()))
san_ext = next(ext for ext in extensions if ext.get_short_name() == b'subjectAltName')
return [name.strip()[4:] for name in str(san_ext).split(',') if name.strip().startswith('DNS:')]
print(get_san_domains('certificate.crt'))For frequent use in shell scripts:
openssl x509 -noout -text < certificate.crt | awk -F, '/X509v3 Subject Alternative Name/ {getline; gsub(/DNS:| /,""); print}' | tr -d ' ' | tr ',' '\n'You can directly check certificates from live servers:
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -text | grep -A 1 "Subject Alternative Name"When dealing with certificate chains, you might want to check all certificates in the chain:
openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout -text | grep -A 1 "Subject Alternative Name"$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("C:\path\to\certificate.pfx", "password")
$san = $cert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "Subject Alternative Name"}
[System.Text.Encoding]::UTF8.GetString($san.RawData) -split ',' | Where-Object {$_ -match 'DNS Name='} | ForEach-Object {$_ -replace 'DNS Name=',''}For DER format certificates:
openssl x509 -inform der -in certificate.der -noout -text | grep -A 1 "Subject Alternative Name"For PKCS#12 files:
openssl pkcs12 -in certificate.p12 -nodes -nokeys | openssl x509 -noout -text | grep -A 1 "Subject Alternative Name"When working with UCC/SAN SSL certificates, administrators often need to verify all subject alternative names included in the certificate. While browsers display this information graphically, extracting it programmatically requires command-line tools.
The most reliable method uses OpenSSL, available on both Linux and macOS systems. Here's the basic command structure:
openssl x509 -in certificate.crt -noout -text | grep -A 1 "Subject Alternative Name"For a more comprehensive solution that handles multiple certificates and formats the output cleanly:
#!/bin/bash
certfile=$1
{
echo "Subject: $(openssl x509 -in "$certfile" -noout -subject)"
echo "Issuer: $(openssl x509 -in "$certfile" -noout -issuer)"
echo "Valid Dates: $(openssl x509 -in "$certfile" -noout -dates)"
echo "SAN Domains:"
openssl x509 -in "$certfile" -noout -text |
grep -A 1 "Subject Alternative Name" |
grep -o "DNS:[^,]*" |
sed 's/DNS://g' |
sort | uniq
} | column -t -s ":"
For certificates stored in different formats, use these variations:
# For PEM format
openssl x509 -in cert.pem -noout -text
# For DER format
openssl x509 -inform der -in cert.der -noout -text
# For remote servers
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null |
openssl x509 -noout -textQuick commands for common scenarios:
# Extract all DNS entries
openssl x509 -noout -text -in cert.pem | awk -F, '/DNS/ {print $1}' | sed 's/^ *//'
# Count total SAN domains
openssl x509 -noout -text -in cert.pem | grep -c "DNS:"When dealing with certificate chains, you might need to process multiple certificates:
# Extract all certificates from a chain
openssl crl2pkcs7 -nocrl -certfile chain.pem |
openssl pkcs7 -print_certs -text -noout