ssh-certview Command Reference


ssh-certview [-C] [-c] [-d debug_level] [-h] [-q] [-V] [-v] [file ...]


Use ssh-certview to view the contents of X.509 certificates (in either PEM or DER format), CRL lists, or PKCS#10 requests. You can also output sample syntax for use in pki_mapfile(5), which is used by Reflection PKI Services Manager to map certificates to allowed identities.

The ssh-certview output for certificate fields is compliant with RFC2253. To be compliant with this standard, Subject and Issuer fields start with the Common Name (for example, "CN = Secure CA, O = Secure Corporation, C = US"). This format is also used by Reflection PKI Services Manager.

Note: Other utilities (including earlier versions of Reflection for Secure IT) reverse the order of the field content in the Subject field output. The reversed format is not equivalent and will not result in a match if used in a PKI Services Manager map file.


Options are available in both a single-character form (such as ‑o) and a descriptive equivalent (‑‑option). Single characters are shown here. To view the descriptive equivalents, use the ‑h command line option.


Specifies that output should include a comment mark (#) at the beginning of each line of output.


Extracts content from a certificate and outputs correct syntax for inclusion in pki_mapfile(5). Unless you also specify -q, standard output is also included, and is preceded by comment marks.

-d debug_level

Sets the debug level. Increasing the value increases the amount of information displayed. Use 1, 2, 3, or 99. (Values 4-98 are accepted, but are equivalent to 3.)


Displays a brief summary of command options.


Turns off display of all output except map file syntax. Use this option with -c to output just map file syntax without commented certificate information.


Displays product name and version information and exits. If other options are specified on the command line, they are ignored.


Increases the verbosity of the output data.

If you are viewing a certificate with -v, the output includes Issuer, Serial Number (hex), Subject, Subject Alternative Name, Validity period, Extensions if set (including Key usage, Constraints, CDP, AIA, Policy OIDs), Public key type, and Public key fingerprint. Without this option, the output shows Issuer, Serial Number (hex), and Subject.

If you are viewing CRL with -v, the output includes the entire list of revoked certificates. Without this option, the output shows issuer and update information.


To view the contents of the specified certificate, including full information about certificate extensions:

ssh-certview -v sample.crt

To view the contents of the certificate cacert.pem, the certificate request cacert.pem.p10, and the certification revocation file example.revoke.crl:

ssh-certview cacert.pem cacert.pem.p10 example.revoke.crl

To extract sample output from the specified certificate for inclusion in a PKI Services Manager map file:

ssh-certview -q -c cacert.pem