When you inspect a TLS/SSL certificate - whether via certcheck.sh, the openssl command, or another tool - you are presented with many different fields that represent a certificate’s identity, validity, and cryptographic properties. certcheck.sh focuses on displaying the following fields, which are explained in more detail below:
- Serial number
- Fingerprint
- Signature algorithm
- Subject
- Issuer
- Valid from date
- Valid to date
- Subject alternate names
Serial number
The serial number is a unique identifier assigned to a certificate by the Certificate Authority (CA) that issued it. No two certificates issued by the same CA should share a serial number. It is represented as a large integer, typically displayed in hexadecimal format. Serial numbers are used by CAs to track issued certificates and are referenced in Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responses to identify revoked certificates.
Fingerprint
A certificate fingerprint is a cryptographic hash of the certificate’s DER-encoded contents. It is not embedded in the certificate itself, it is computed on the fly by the client inspecting it. Fingerprints are most commonly expressed as SHA-256 hashes, though SHA-1 was historically used. certcheck.sh displays a SHA-256 hash for the queried TLS/SSL certificate. Because a hash function produces a fixed-length, deterministic output, the fingerprint serves as a verifiable representation of the entire certificate. Even a single-bit change to the certificate would produce a completely different fingerprint, making it a reliable way to verify that two certificates are identical or to detect tampering.
Signature algorithm
The signature algorithm field identifies the cryptographic algorithm the CA used to digitally sign the certificate. This field has two components: the hashing algorithm (e.g., SHA-256) used to produce a digest of the certificate data, and the asymmetric encryption algorithm (e.g., RSA or ECDSA) used to encrypt that digest with the CA’s private key. The signature algorithm matters because weaker algorithms - such as those using SHA-1 or MD5 - are no longer trusted by modern browsers and operating systems.
Subject
The subject field identifies the entity the certificate was issued to. It is expressed as a Distinguished Name (DN), a structured sequence of attribute-value pairs. Common attributes include:
- CN (Common Name) - historically the primary hostname the certificate was issued for, though this role has largely been superseded by Subject Alternative Names
- O (Organization) - the legal name of the organization, present on Organization Validated (OV) and Extended Validation (EV) certificates
- C (Country) - the two-letter ISO country code of the organization
Domain Validated (DV) certificates, the most commonly issued type, typically contain only a CN and omit organization-level attributes, as the CA only verifies domain control, not organizational identity.
Issuer
The issuer field identifies the CA that signed and issued the certificate, also expressed as a Distinguished Name. It describes the specific CA entity in the chain of trust responsible for vouching for the certificate’s subject. In a typical PKI chain, this will be an Intermediate CA rather than a Root CA because Root CAs generally do not issue end-entity certificates directly. The issuer’s DN in an end-entity certificate should match the subject DN of the signing Intermediate CA’s certificate, forming a verifiable chain up to a trusted Root CA embedded in the client’s trust store.
Valid from date
The valid from date, formally called notBefore in the X.509 specification, defines the earliest point in time at which the certificate is considered valid. Clients should reject a certificate presented before this date. This field is set by the CA at issuance and is included in the signed certificate data, meaning it cannot be altered without invalidating the CA’s signature.
Valid to date
The valid to date, formally called notAfter in the X.509 specification, defines the expiration point of the certificate. After this date, clients will reject the certificate as expired, regardless of whether it has been revoked.
Subject alternate names
Subject Alternative Names (SANs) are an X.509 extension that specifies the additional hostnames, IP addresses, or other identifiers the certificate is valid for. A single certificate can contain multiple SANs, making it possible to secure several domains or subdomains with one certificate, which are commonly called multi-domain or SAN certificates. Wildcard entries (e.g., *.example.com) are also permitted within SANs. Since 2017, browsers have required that the hostname being validated appear in the SAN extension - the CN field alone is no longer sufficient for this purpose. This makes the SAN extension the authoritative source for determining what a certificate actually secures.