How to Check Subject Alternative Names for a SSL/TLS Certificate?

Question

Is there a way to programmatically check the Subject Alternative Names of a SAN SSL cert?

Using, for instance, the following command I can get many info but not all

Answer 1

If you just want to see the SANs, the grep DNS: is the obvious solution.

If you want to have a cleaner list to process further, you can use this Perl regex to extract just the names : @names=/\sDNS:([^\s,]+)/g

For example:

true | openssl s_client -connect example.com:443 2>/dev/null \
| openssl x509 -noout -text \
| perl -l -0777 -ne '@names=/\bDNS:([^\s,]+)/g; print join("\n", sort @names);'

Which would output this:

example.com
example.edu
example.net
example.org
www.example.com
www.example.edu
www.example.net
www.example.org

So you could pipe that to while read name; do echo "do stuff with $name"; done etc.

Or for a comma-separated list on one line, replace join("\n", with join(",",

(The -0777 switch for perl makes it read the whole input at once instead of line by line)