Cert Decode

Parse and display human-readable details from X.509 PEM certificates using openssl.

Input

• PEM certificate content (text starting with -----BEGIN CERTIFICATE-----) pasted directly, OR
• Path to a .pem or .crt file, OR
• Hostname to fetch the live certificate from (e.g., example.com)

Output

• Subject (CN, O, OU, C)
• Issuer (CA name, organization)
• Validity: Not Before / Not After (expiry date)
• Serial number
• Subject Alternative Names (SANs)
• Public key algorithm and size
• Signature algorithm
• Whether the cert is expired or expiring soon

Instructions

1. Determine input type: pasted PEM text, file path, or hostname.

1. From pasted PEM text:

Write the PEM content to a temp file, then:

```

echo "PEM_CONTENT" | openssl x509 -text -noout

```

Or use process substitution if available.

1. From a file path:

```

openssl x509 -text -noout -in /path/to/cert.pem

```

1. From a live hostname (port 443):

```

echo | openssl s_client -connect HOSTNAME:443 -servername HOSTNAME 2>/dev/null | openssl x509 -text -noout

```

1. Extract and present key fields from the openssl x509 -text output in a clean, readable format:
• Subject: parse Subject: line
• Issuer: parse Issuer: line
• Valid From: parse Not Before:
• Valid Until: parse Not After :
• Serial: parse Serial Number:
• SANs: parse X509v3 Subject Alternative Name: block for all DNS: and IP Address: entries
• Key: parse Public Key Algorithm: and key size (e.g., RSA Public-Key: (2048 bit))
• Signature Algorithm: parse Signature Algorithm:

1. Calculate whether the certificate is:
• Already expired (Not After is in the past)
• Expiring within 30 days (warn the user)
• Valid (show days remaining)

1. If openssl is not found, tell the user:

> "This skill requires openssl. Install with: brew install openssl (macOS) or sudo apt install openssl (Linux)."

Examples

From file:

Command: openssl x509 -text -noout -in /etc/ssl/cert.pem

From hostname:

Command: echo | openssl s_client -connect github.com:443 -servername github.com 2>/dev/null | openssl x509 -text -noout

Sample parsed output:

Subject:    CN=github.com, O=GitHub, Inc., C=US
Issuer:     CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1, O=DigiCert Inc, C=US
Valid From: 2024-03-07
Valid Until: 2025-03-06  ⚠ Expires in 14 days
Serial:     0a:bc:12:...
SANs:       github.com, www.github.com
Key:        EC 256-bit (prime256v1)
Signature:  ecdsa-with-SHA384

Error Handling

• openssl not found → tell user to install it
• Input is not valid PEM → openssl will error with unable to load certificate; tell user the input does not appear to be a valid PEM certificate
• Hostname unreachable → openssl s_client will fail; report connection error and suggest checking the hostname or network
• DER format instead of PEM → tell user to convert first with: openssl x509 -inform DER -in cert.der -out cert.pem
• Certificate chain (multiple certs) → only the first cert is parsed; inform user if they need a specific cert from the chain