C.A Bundle easy dump

In my sysadmin day-to-day tasks, I often need to dump a C.A Bundle (C.A stands for Certificate Authority) to see what Certificate Authorities are present.

What is a C.A Bundle ?

What I call C.A Bundle is simply a plaintext file with multiple C.A certificates.

Example:

❯ cat /etc/ssl/certs/ca-certificates.crt
-----BEGIN CERTIFICATE-----
MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE
AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw
CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ
BgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUND
VjELMAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCb
qau/YUqXry+XZpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoY
[...]
h1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xF
d3+YJ5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2H
pPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFgzCCA2ugAwIBAgIPXZONMGc2yAYdGsdUhGkHMA0GCSqGSIb3DQEBCwUAMDsx
[...]

dumps my Ubuntu’s system wide C.A Bundle.

Each certificate is contained within the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- separator.

This P.E.M encoded certificate is not made for humans. Let’s see how we can easily list all this bundle content in a human friendly fashion.

How to easily see the subject of the C.A present in a bundle ?

As in the previous example, let’s see which C.A are present in the file /etc/ssl/certs/ca-certificates.crt

❯ awk -v cmd='openssl x509 -noout -subject' \
    '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
subject=CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES
subject=C = ES, O = FNMT-RCM, OU = AC RAIZ FNMT-RCM
subject=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
[...]

As you can see, it’s now quite easy to read the subject of each C.A present in the file /etc/ssl/certs/ca-certificates.crt.