How to extract subject key identifier from x509 certificate through openssl

Question

I've created a x509 certificate using ec prime256v1 thorough openssl. Can someone please let me know the way to extract subject key identifier from it using any openssl cli?

Thanks in advance.

Answer 1

One can simply use -subject option with openssl and to specify DER or PEM format use -inform option, for example:

$ openssl x509 -inform DER -in myCert.der -noout -subject
subject= /C=IN/ST=Karnataka/L=Banaglore/O=FOO/OU=BAR

$ openssl x509 -inform PEM -in myCert.pem -noout -subject
subject= /C=IN/ST=Karnataka/L=Banaglore/O=FOO/OU=BAR

Note: By default we don't have to specify -inform option PEM format

Answer 2

Here is an example how it works:

openssl x509 -in cer.der -inform DER -text | sed ':a;N;$!ba;s/\n/+/g' | sed 's/ //g' | sed -n 's/.*SubjectKeyIdentifier:+\([A-F0-9:]*\)+.*/\1/p' | sed 's/\://g'

It is using sed to get the the Subject Detail Level.

Explaining the individual parts:

openssl x509 -in cer.der -inform DER -text

The next part is sed magic. It is removing all new lines and is replacing it with a +:

sed ':a;N;$!ba;s/\n/+/g'

The next part is an easy sed magic. It is all blanks:

sed 's/ //g'

The next part is the interesting part and extracts the Subject key Identifier.

sed -n 's/.*SubjectKeyIdentifier:+\([A-F0-9:]*\)+.*/\1/p'

The last part is just removing the colons with sed. Maybe not needed in your case. maybe you also need it as binary.

sed 's/\://g'

If binary output is need add another pipe to the whole command:

openssl x509 -in CERT_S_SM_DPauth_ECDSA_BRP.der -inform DER -text | sed ':a;N;$!ba;s/\n/+/g' | sed 's/ //g' | sed -n 's/.*SubjectKeyIdentifier:+\([A-F0-9:]*\)+.*/\1/p' | sed 's/\://g' | xxd -r -p - subjkid.bin