How to extract subject key identifier from x509 certificate through openssl

Question

I've created a x509 certificate using ec prime256v1 thorough openssl. Can someone please let me know the way to extract subject key identifier from it using any openssl cli?

Thanks in advance.

Do you want to read the field in the certificate or do you want the Subject Key Identifier corresponding to the used key? — Joris
I'm able to capture it using grep -A1 "Subject Key Identifier" ca-cert.pem however i would like to know, if i can extract it through openssl command line — varun teja
Quite sure you can't, not without using something like grep or awk. — Joris

k_o_ k_o_ · Accepted Answer · 2019-01-21T23:17:15

Here is an example how it works:

openssl x509 -in cer.der -inform DER -text | sed ':a;N;$!ba;s/\n/+/g' | sed 's/ //g' | sed -n 's/.*SubjectKeyIdentifier:+\([A-F0-9:]*\)+.*/\1/p' | sed 's/\://g'

It is using sed to get the the Subject Detail Level.

Explaining the individual parts:

openssl x509 -in cer.der -inform DER -text

The next part is sed magic. It is removing all new lines and is replacing it with a +:

sed ':a;N;$!ba;s/\n/+/g'

The next part is an easy sed magic. It is all blanks:

sed 's/ //g'

The next part is the interesting part and extracts the Subject key Identifier.

sed -n 's/.*SubjectKeyIdentifier:+\([A-F0-9:]*\)+.*/\1/p'

The last part is just removing the colons with sed. Maybe not needed in your case. maybe you also need it as binary.

sed 's/\://g'

If binary output is need add another pipe to the whole command:

openssl x509 -in CERT_S_SM_DPauth_ECDSA_BRP.der -inform DER -text | sed ':a;N;$!ba;s/\n/+/g' | sed 's/ //g' | sed -n 's/.*SubjectKeyIdentifier:+\([A-F0-9:]*\)+.*/\1/p' | sed 's/\://g' | xxd -r -p - subjkid.bin

How to extract subject key identifier from x509 certificate through openssl

2 Answers