(Note: This requires OpenSSL version 0.9.8a or higher.) You may want to find out what Certificate Authority (CA) signed a particular certificate. OpenSSL terms this CA as the “issuer”. You can view the issuer of a certificate, and you can also view the hash of the issuer. The hash is useful if you have named your certificates with their hash value. You could then quickly match the issuer hash with the certificate hash file name. Here's an openssl command to output this information:
> openssl x509 -in cert.pem -noout -issuer -issuer_hash issuer= /C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddressfirstname.lastname@example.org be7cee67 >
Here's an explanation of the command line options:
- -in cert.pem - read in the certificate in question from the file cert.pem.
- -noout - do not output the PEM-encoded version of the certificate.
- -issuer - output the issuer's Distinguished Name (DN).
- -issuer_hash - output the hash of the certificate issuer's name. (Option available in version 0.9.8a and above.)
Note that this command only gives you the entity that signed this certificate. It does NOT give you the root CA, since a certificate chain can contain many entities. To get to the root CA, you have to keep running this command on the “issuer” until you find a self-signed certificate (i.e. the “issuer” equals the “subject”).