Verisign Certificate Encrypted Attributes

TL;DR

Yes, Verisign (now DigiCert) certificates can contain encrypted attributes, primarily within the Subject Alternative Name (SAN) field and sometimes in extensions like Key Usage or Extended Key Usage. These aren’t ‘encrypted’ in the sense of needing a key to read them directly, but are encoded using ASN.1 DER rules which makes them appear as binary data without specific decoding tools. We’ll show you how to view these attributes using OpenSSL.

How to Find Encrypted Attributes in Verisign Certificates

1. Get the Certificate: You’ll need the certificate file itself (usually a .crt, .pem or .cer file). You can often download this from the website of the service using the certificate.
2. Use OpenSSL to Decode the Certificate: OpenSSL is a powerful command-line tool for working with SSL/TLS certificates. If you don’t have it installed:
   • Linux (Debian/Ubuntu):

     sudo apt update && sudo apt install openssl

   • macOS: OpenSSL is usually pre-installed, or available via Homebrew (https://brew.sh/)
   • Windows: Download from a reputable source (e.g., https://slpsecret.com/openssl/). Make sure to add the OpenSSL bin directory to your system PATH.
3. View Basic Certificate Information: Start by getting a basic overview:

   openssl x509 -in certificate.crt -text -noout

   The output will show details like the issuer, subject, validity dates and more. This won’t directly reveal encoded attributes but is useful for context.

4. Inspect Subject Alternative Names (SANs): SANs are commonly used to list multiple domains or IP addresses covered by a single certificate. These can contain complex data.

   openssl x509 -in certificate.crt -noout -ext san | openssl base64 -d

   This command extracts the SAN extension, decodes it from Base64 and displays the results. You may see encoded values here.

5. Check Key Usage & Extended Key Usage: These extensions define what the certificate can be used for (e.g., digital signatures, key encryption). They are often represented as a series of bit flags.

   openssl x509 -in certificate.crt -noout -ext keyUsage | openssl base64 -d

   openssl x509 -in certificate.crt -noout -ext extendedKeyUsage | openssl base64 -d

   The output will be a series of numbers representing the different usages. You can find a list of these values here (DigiCert is Verisign’s parent company).

6. Decode ASN.1 DER Encoding: If you encounter binary-looking data, it’s likely encoded using ASN.1 DER rules.

   openssl asn1parse -in certificate.crt -dump

   This command will parse the entire certificate and show all the fields, including those encoded in ASN.1 DER format. It can be verbose but allows you to see everything within the certificate structure.

7. Specific Attribute Inspection (Advanced): If you know a specific attribute you’re looking for (e.g., a custom extension), you can try extracting it directly:

   openssl x509 -in certificate.crt -noout -ext attribute_name | openssl base64 -d

   Replace ‘attribute_name’ with the actual name of the attribute.

Important Considerations

• Not True Encryption: The attributes aren’t encrypted in a way that requires a key to decrypt them. They are encoded for efficient storage and transmission within the certificate structure.
• Tools Required: You’ll need tools like OpenSSL to decode and interpret these attributes.
• Complexity: ASN.1 DER encoding can be complex, so understanding the output may require some technical knowledge.