November 21, 2024

I have started taking Ed Harmoush’s Practical TLS course to learn more about TLS and certificates. When learning about TLS, you want to inspect different certificates to see the various fields and see how different organizations use certificates differently. As always, Linux comes with a great set of tools to work with certificates in the form of OpenSSL. In this post, I will show how to download a certificate and discuss some of the fields that are present in the certificate.

To get the certificate, we will use openssl with s_client and connect to a web site. I’m using twitter.com in this example:

openssl s_client -connect twitter.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com
verify return:1
---
Certificate chain 0 s:C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com i:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFazCCBPKgAwIBAgIQApPDmMLPSme+g7U3VNqTeTAKBggqhkjOPQQDAzBWMQsw
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp
Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjIwMzA3MDAw
MDAwWhcNMjMwMzA2MjM1OTU5WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEWMBQGA1UEChMNVHdpdHRl
ciwgSW5jLjEUMBIGA1UEAxMLdHdpdHRlci5jb20wWTATBgcqhkjOPQIBBggqhkjO
PQMBBwNCAAR45SH/I15fFxhdMTC+z7QG3NUBnLwye4M89+7FBmazTprXzLBrFL6w
iszjJo6ZbvjHH+Anr7EloiOmyCd6CcT7o4IDjjCCA4owHwYDVR0jBBgwFoAUCrwI
KReMpTlteg7OM8cus+37w3owHQYDVR0OBBYEFCMuApYaSTouUoRg0NPAcgqPUzQo
MCcGA1UdEQQgMB6CC3R3aXR0ZXIuY29tgg93d3cudHdpdHRlci5jb20wDgYDVR0P
AQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmwYDVR0f
BIGTMIGQMEagRKBChkBodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU
TFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0ExLTEuY3JsMEagRKBChkBodHRwOi8vY3Js
NC5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0Ex
LTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6
Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBhQYIKwYBBQUHAQEEeTB3MCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTwYIKwYBBQUHMAKGQ2h0dHA6
Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4
NDIwMjBDQTEtMS5jcnQwCQYDVR0TBAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIB
aQFnAHYA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4AAAF/Zs9cUwAA
BAMARzBFAiEAhfGjCOUeRm/kHVawNy3RJZ1YXMWS0hZSJDRTEOsMx20CIF6ogmQY
N39TkR8C8E/h0J4TY1KxdiVbQvK0RrHN8FJVAHYANc8ZG7+xbFe/D61MbULLu7Yn
ICZR6j/hKu+oA8M71kwAAAF/Zs9cIQAABAMARzBFAiA3tUnaT5aw8irIfAGSUCAg
Z+yxrgDcwCdNsKL6NArnKQIhAJ0NRfSw48YnZ9WdyA0ld2gnZJAhp/226PdTbrDZ
U9kCAHUAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAF/Zs9cQAAA
BAMARjBEAiA0chFWolNwUo1A2KZysMp4g0fqWAnIlZOC1Hm/XxNrNgIgE/sjXAm9
f/CtJs3XChaF7R34cMvsKCyFrW0+ycbg7H0wCgYIKoZIzj0EAwMDZwAwZAIwQcD0
aUHKfljlai5ceovXBRkn0NRQb05OTYl0CKElutbSqnCnEJbxfsh1Snhwe7h8AjBi
OdC/T3eT3A0QXmKu1Odkq+9U9vsBycfGBRFZiP/DCXWJXYcBki92Oxq+uwukNmA=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 ---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2752 bytes and written 383 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

This provides us with some interesting information on issuer, cipher suite etc but the certificate itself is from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–. If we put this text in a text file, we can use openssl to provide us with more information:

daniel@devasc:~$ nano twitter_cert.crt
daniel@devasc:~$ cat twitter_cert.crt -----BEGIN CERTIFICATE-----
MIIFazCCBPKgAwIBAgIQApPDmMLPSme+g7U3VNqTeTAKBggqhkjOPQQDAzBWMQsw
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp
Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjIwMzA3MDAw
MDAwWhcNMjMwMzA2MjM1OTU5WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEWMBQGA1UEChMNVHdpdHRl
ciwgSW5jLjEUMBIGA1UEAxMLdHdpdHRlci5jb20wWTATBgcqhkjOPQIBBggqhkjO
PQMBBwNCAAR45SH/I15fFxhdMTC+z7QG3NUBnLwye4M89+7FBmazTprXzLBrFL6w
iszjJo6ZbvjHH+Anr7EloiOmyCd6CcT7o4IDjjCCA4owHwYDVR0jBBgwFoAUCrwI
KReMpTlteg7OM8cus+37w3owHQYDVR0OBBYEFCMuApYaSTouUoRg0NPAcgqPUzQo
MCcGA1UdEQQgMB6CC3R3aXR0ZXIuY29tgg93d3cudHdpdHRlci5jb20wDgYDVR0P
AQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmwYDVR0f
BIGTMIGQMEagRKBChkBodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU
TFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0ExLTEuY3JsMEagRKBChkBodHRwOi8vY3Js
NC5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0Ex
LTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6
Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBhQYIKwYBBQUHAQEEeTB3MCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTwYIKwYBBQUHMAKGQ2h0dHA6
Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4
NDIwMjBDQTEtMS5jcnQwCQYDVR0TBAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIB
aQFnAHYA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4AAAF/Zs9cUwAA
BAMARzBFAiEAhfGjCOUeRm/kHVawNy3RJZ1YXMWS0hZSJDRTEOsMx20CIF6ogmQY
N39TkR8C8E/h0J4TY1KxdiVbQvK0RrHN8FJVAHYANc8ZG7+xbFe/D61MbULLu7Yn
ICZR6j/hKu+oA8M71kwAAAF/Zs9cIQAABAMARzBFAiA3tUnaT5aw8irIfAGSUCAg
Z+yxrgDcwCdNsKL6NArnKQIhAJ0NRfSw48YnZ9WdyA0ld2gnZJAhp/226PdTbrDZ
U9kCAHUAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAF/Zs9cQAAA
BAMARjBEAiA0chFWolNwUo1A2KZysMp4g0fqWAnIlZOC1Hm/XxNrNgIgE/sjXAm9
f/CtJs3XChaF7R34cMvsKCyFrW0+ycbg7H0wCgYIKoZIzj0EAwMDZwAwZAIwQcD0
aUHKfljlai5ceovXBRkn0NRQb05OTYl0CKElutbSqnCnEJbxfsh1Snhwe7h8AjBi
OdC/T3eT3A0QXmKu1Odkq+9U9vsBycfGBRFZiP/DCXWJXYcBki92Oxq+uwukNmA=
-----END CERTIFICATE-----

The text here is Base64 encoded so as a human we don’t understand what is in this certificate at all. We will use openssl to provide us with a more human readable format:

daniel@devasc:~$ openssl x509 -in twitter_cert.crt -text -noout
Certificate: Data: Version: 3 (0x2) Serial Number: 02:93:c3:98:c2:cf:4a:67:be:83:b5:37:54:da:93:79 Signature Algorithm: ecdsa-with-SHA384 Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 Validity Not Before: Mar 7 00:00:00 2022 GMT Not After : Mar 6 23:59:59 2023 GMT Subject: C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:78:e5:21:ff:23:5e:5f:17:18:5d:31:30:be:cf: b4:06:dc:d5:01:9c:bc:32:7b:83:3c:f7:ee:c5:06: 66:b3:4e:9a:d7:cc:b0:6b:14:be:b0:8a:cc:e3:26: 8e:99:6e:f8:c7:1f:e0:27:af:b1:25:a2:23:a6:c8: 27:7a:09:c4:fb ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: keyid:0A:BC:08:29:17:8C:A5:39:6D:7A:0E:CE:33:C7:2E:B3:ED:FB:C3:7A X509v3 Subject Key Identifier: 23:2E:02:96:1A:49:3A:2E:52:84:60:D0:D3:C0:72:0A:8F:53:34:28 X509v3 Subject Alternative Name: DNS:twitter.com, DNS:www.twitter.com X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl Full Name: URI:http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt X509v3 Basic Constraints: CA:FALSE CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9: 03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E Timestamp : Mar 7 23:55:39.987 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:85:F1:A3:08:E5:1E:46:6F:E4:1D:56: B0:37:2D:D1:25:9D:58:5C:C5:92:D2:16:52:24:34:53: 10:EB:0C:C7:6D:02:20:5E:A8:82:64:18:37:7F:53:91: 1F:02:F0:4F:E1:D0:9E:13:63:52:B1:76:25:5B:42:F2: B4:46:B1:CD:F0:52:55 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB: B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C Timestamp : Mar 7 23:55:39.937 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:37:B5:49:DA:4F:96:B0:F2:2A:C8:7C:01: 92:50:20:20:67:EC:B1:AE:00:DC:C0:27:4D:B0:A2:FA: 34:0A:E7:29:02:21:00:9D:0D:45:F4:B0:E3:C6:27:67: D5:9D:C8:0D:25:77:68:27:64:90:21:A7:FD:B6:E8:F7: 53:6E:B0:D9:53:D9:02 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09: 4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A Timestamp : Mar 7 23:55:39.968 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:34:72:11:56:A2:53:70:52:8D:40:D8:A6: 72:B0:CA:78:83:47:EA:58:09:C8:95:93:82:D4:79:BF: 5F:13:6B:36:02:20:13:FB:23:5C:09:BD:7F:F0:AD:26: CD:D7:0A:16:85:ED:1D:F8:70:CB:EC:28:2C:85:AD:6D: 3E:C9:C6:E0:EC:7D Signature Algorithm: ecdsa-with-SHA384 30:64:02:30:41:c0:f4:69:41:ca:7e:58:e5:6a:2e:5c:7a:8b: d7:05:19:27:d0:d4:50:6f:4e:4e:4d:89:74:08:a1:25:ba:d6: d2:aa:70:a7:10:96:f1:7e:c8:75:4a:78:70:7b:b8:7c:02:30: 62:39:d0:bf:4f:77:93:dc:0d:10:5e:62:ae:d4:e7:64:ab:ef: 54:f6:fb:01:c9:c7:c6:05:11:59:88:ff:c3:09:75:89:5d:87: 01:92:2f:76:3b:1a:be:bb:0b:a4:36:60

That’s a lot of information to take in. So let’s break it down into the various fields that are part of a certificate. Starting with the Version:

Version: 3 (0x2)

The version of the X509 certificate. Do not confuse this with TLS version 1.3 or similar. You will most likely only see version 3 when inspecting certificates which is the X509 version supporting extensions such as Subject Alternate Name (SAN) and others.

The next field is the Serial Number:

Serial Number: 02:93:c3:98:c2:cf:4a:67:be:83:b5:37:54:da:93:79

A up to 20-byte (160 bits) number (can be shorter) that uniquely identifies a certificate issued by a given Certificate Authority (CA). No two certificates issued from the same CA should have the same serial number. It’s possible for certificates generated by different CAs to have the same serial number, though. The serial number is used to check the validity of a certificate when making a request to a CA. For example to a Certificate Revocation List (CRL) or using Online Certificate Status Protocol (OCSP).

Then comes the Signature Algorithm:

Signature Algorithm: ecdsa-with-SHA384

The signature algorithm provides two pieces of information:

  • The hashing algorithm used to provide a digest of the certificate data
  • The asymmetric encryption algorithm that provided the public and private key

In the certificate above, SHA-384 was used to hash the certificate data to provide a digest. The Elliptic Curve Digital Signature Algorithm (ECDSA) was the algorithm that generated the public and private key. Elliptic curve encryption is often referred to as next generation encryption algorithms.

After that we have the Issuer:

Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1

The Issuer tells us what CA issued the certificate. In this case, DigiCert issued the certificate and the Common Name (CN) shows what server signed the certificate.

The next field is Validity:

Validity Not Before: Mar 7 00:00:00 2022 GMT Not After : Mar 6 23:59:59 2023 GMT

This field is pretty self explanatory. The certificate is valid from 7th of March 2022 until 6th of March 2023 just before midnight. Back in the days people would get certificates that were valid for multiple years, maybe even 5 or 10 years in a set and forget fashion. That is now considered poor practice and most CAs will not issue certificates with a validity longer than 13 months. The trend is to have shorter and shorter validity and use automation tools to rotate certificates. One consideration here is that if your devices’ time is off by much, it can cause issues. For example, some device will boot up with clock set to something like 1990 which is obviously before the certificate became valid so it will then be considered invalid.

Then we have the Subject:

Subject: C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com

The Subject is what the certificate is identifying, in this case twitter.com. The CN here is twitter.com which is an exact match to twitter.com. Subdomains such as images.twitter.com or similar would not be identified by this CN. A wildcard would be needed for that such as *.twitter.com. However, the SAN field is the extra twist that we will review later. Keep in mind that browsers will compare the URL to what is in the SAN.

The next field is Public Key:

Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:78:e5:21:ff:23:5e:5f:17:18:5d:31:30:be:cf: b4:06:dc:d5:01:9c:bc:32:7b:83:3c:f7:ee:c5:06: 66:b3:4e:9a:d7:cc:b0:6b:14:be:b0:8a:cc:e3:26: 8e:99:6e:f8:c7:1f:e0:27:af:b1:25:a2:23:a6:c8: 27:7a:09:c4:fb ASN1 OID: prime256v1 NIST CURVE: P-256

What is the Public Key used for? The client, through the browser, need to generate symmetric session keys that are used to encrypt the data between the client and the server. The client uses the public key of the certificate to encrypt the information known as premaster secret that it sends to the server. This can only be decrypted with the private key of the server.

In the X509v3 extensions field we also have the SAN:

 X509v3 Subject Alternative Name: DNS:twitter.com, DNS:www.twitter.com

The SAN allows a certificate to be used for multiple names. A good example is the one above which allows the certificate to be used both for twitter.com and www.twitter.com. It can be used for more than that, though. Let’s go through the same process as we did for twitter.com with google.com and view the contents of its certificate. The first interesting thing we see is the Issuer:

Issuer: C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

Normally we would see issuers such as DigiCert, IdenTrust, Sectigo, Let’s Encrypt, GoDaddy etc. However, Google has their own Root CA and sign their own certificates.

Next, the Subject is also different compared to Twitter:

Subject: CN = *.google.com

Notice the use of the asterisk here (wild card). This means that any subdomain, such as images.google.com can be used. However, the domain google.com is not included here. But let’s take a look at the SAN…

X509v3 Subject Alternative Name: DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.datacompute.google.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic-cn.com, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecnapps.cn, DNS:googledownloads.cn, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:recaptcha-cn.net, DNS:*.recaptcha-cn.net, DNS:widevine.cn, DNS:*.widevine.cn, DNS:ampproject.org.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.ampproject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:googleadservices-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleoptimize-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubleclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:doubleclick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-cn.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager-cn.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safeframe.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measurement-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com, DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.googleflights-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:*.gstatic.com, DNS:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com, DNS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn, DNS:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:*.googlecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:youtubeeducation.com, DNS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be, DNS:*.yt.be, DNS:android.clients.google.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:source.android.google.cn

Wow! That’s a lot. It seems pretty much any Google service and domain is included in here, including google.com. Using a certificate for so many domains and services does of course come with considerations for security, blast radius etc., but it would be a fair assumption that Google probably know what they are doing.

I hope this post has been informative and that you have learned how easy it is to use openssl library to view certificates.

Source