how to read the keyusage of a X509 V3 certificate?

Question

I want to read the Key usage field in a certificate .is there an API is available in openssl ?

Answer 1

7 years later...

Newer versions of openssl let you query certificate extensions using -ext flag. See docs for available options.

Print key usage:

$> openssl x509 -noout -ext keyUsage < test.crt
X509v3 Key Usage: critical
    Digital Signature, Key Encipherment

Print extended key usage:

$> openssl x509 -noout -ext extendedKeyUsage < test.crt
X509v3 Extended Key Usage: 
    TLS Web Server Authentication, TLS Web Client Authentication

Note that if you want to print multiple extensions at once, you need to separate than by comma instead of using -ext flag multiple times:

$> openssl x509 -noout \
   -ext keyUsage,extendedKeyUsage < test.crt

Answer 2

The previous solutions you need to find inside the result file/output the string "Key Usage". I got the following solution which brings exactly the String inside the Key Usage X509 certificate.

openssl s_client -showcerts -connect SERVER_HERE:443 </dev/null 2>/dev/null|openssl x509 -text |grep v "$(grep -E -A1 "Key Usage")"

The above command get the certificate, parse to text and find the string "Key Usage" and present the next line on the result which represents the value for this particular field on X509.

//Cheers

Answer 3

You can try using the following command in openssl.

openssl x509 -in <certificate to check> -purpose -noout -text

This would print out the list of certificate purpose and the certificate itself.