Dumping any kind of certificate file gives you access to more details than the Windows UI usually shows you.
This is especially handy when checking out errors or issues (which can be very difficult to track down).
For binary PFX files, the certutil and openssl commands come in very handy:
Some options to view PFX file details:Open a command prompt and type: certutil -dump Install OpenSSL and use the commands to view the details, such as: openssl pkcs12 -info -in unverified.
OpenSSL is a separate download (from my OpenSSL category of articles, see Some command-line tips for OpenSSL and file format pfx, p12, cer, crt, key, etc. conversion of certificates, keys) to get it.
CertUtil now ships with Windows by default (it wasn’t in the Windows XP era, I’m not sure about Windows Server 2003).
Here is the CertUtil help for dumping certificate information;
Dump certificate file information CertUtil [Options] [-dump] [File] Options: [-f] [-silent] [-split] [-p Password] [-t Timeout]
Note:
- the [-v] option is not listed, but does work; it will give a more verbose dump.
- [-dump] also works other certificate file extensions like .p7b files.
Here is the OpenSSL help for dumping pkcs12 information:
openssl pkcs12 [-export] [-chain] [-inkey filename] [-certfile filename] [-name name] [-caname name] [-in filename] [-out filename] [-noout] [-nomacver] [-nocerts] [-clcerts] [-cacerts] [-nokeys] [-info] [-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -camellia128 | -camellia192 | -camellia256 | -nodes] [-noiter] [-maciter | -nomaciter | -nomac] [-twopass] [-descert] [-certpbe cipher] [-keypbe cipher] [-macalg digest] [-keyex] [-keysig] [-password arg] [-passin arg] [-passout arg] [-rand files] [-CAfile file] [-CApath dir] [-CSP name]
The pkcs12 command allows PKCS#12 files sometimes referred to as PFX files to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook.
There are a lot of options the meaning of some depends of whether a PKCS#12 file is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12 file can be created by using the -export option see below.
-in filenameThis specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.
…
-infooutput additional information about the PKCS#12 file structure, algorithms used and iteration counts.
and the OpenSSL help for dumping pkcs7 information:
openssl pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-print_certs] [-text] [-noout] [-engine id]
The pkcs7 command processes PKCS#7 files in DER or PEM format.
-inform DER|PEM; This specifies the input format. DER format is DER encoded PKCS#7 v1.5 structure.PEM the default is a base64 encoded version of the DER form with header and footer lines.
…
-print_certs; prints out any certificates or CRLs contained in the file. They are preceded by their subject and issuer names in one line format.
-text; prints out certificates details in full rather than just subject and issuer names.
…
Notes:
- do not forget the -inform DER option to specify a binary .p7b file.
- the -text option gives you more verbose information
–jeroen
via:
- security – How do I view the contents of a PFX file on Windows? – Super User.
- CertUtil Certification Authority Utility | Windows CMD | SS64.com.
- OpenSSL: Documents, openssl1.
- OpenSSL: Documents, pkcs121.
- OpenSSL: Documents, pkcs71.
The Wiert Corner - irregular stream of stuff 