I've an certificate and a p12 private key.
I need to check if both match:
$ openssl rsa -modulus -noout -in visor.p12 | openssl md5
unable to load Private Key
139755626676672:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
$ openssl x509 –noout –modulus –in EC_SECPUBLIC.cer | openssl md5
x509: Unknown parameter –noout
x509: Use -help for summary.
(stdin)= d41d8cd98f00b204e9800998ecf8427e
Any ideas?
Related
I've a certificate request (see bottom) of which I'd like get fingerprint preferably from command-line (Unix). If my goal was only to verify integrity of a PEM file on two machines I could just use e.g. sha256sum csr.pem value but I'd like to get the same fingerprint as Puppet does:
puppet:~# puppetserver ca list --all
Requested Certificates:
testbox (SHA256) 7C:8C:A2:2C:17:42:C1:B9:55:A0:1D:EE:0D:C1:B0:65:B0:B4:AF:83:68:77:A8:0D:C4:6C:B1:41:25:FF:E7:C2
This fingerprint value is printed on both testbox and puppet machines when bootstrapping testbox and only thing they both share is the CA certificate (private key of which is stored on puppet). So the algorithm shouldn't require any private keys on input.
I assume the algorithm is standard, but I don't know cryptographic formats and openssl enough to figure out how to get it, and I'd specifically like to use openssl or some other widely available command line utility (i.e. not Ruby).
One of my failed attempts:
testbox:~# openssl x509 -fingerprint -in /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem
unable to load certificate
139644407518336:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Here's the actual certificate request:
testbox:~# cat /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIEVzCCAj8CAQAwEjEQMA4GA1UEAwwHdGVzdGJveDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBAKAT6FPs6RkT30lnNk0wpfhLtjrrAr/YdyDCUVTjV5jL
23iuLLSHes7yog/gACitGqCOnSz7J95OUtfGV+ACV8AEcyNpQazOqHhcLh15CYa7
8fDyVsoLzHWUKDMXhNllYrJFOoEDU/IP/y5hdS6e56pPZCVwYRxg9pjtvOX/FyUA
vXFA94IvqAgR2HdD7Vbr11mSmVNJuP9bWimhizvpzG4g3Xacvz7BhEZC5v/tIuH6
zaQtKCoBoxTFQhlFhY1F0iIMIjbTFTUuzPjCh5pMhXMxm0rgpH0SkvJp8bzesCGX
34JIDCOo6R197IttvbPh+6J91nMReOrYl4WAIMFHMz9L2dEClKbT0qWKjTHSUB6E
Pkia6d/gQzM4UcfP2NGAPnaWv3HZJPy6LnOHFoaxkfiMVGMlKISqF8cbkhGEneX0
V3Q8z60BAdr1q2i2rmPQkhp0MLwCoOzEcH13I43GhZuF/V6YbBcLt0UcEI0DC+VR
vP1sIFXj/BzQkITgzE9q067vRtgYVb85CtfESvSbLdci8noPz076wuaiRme8qzHM
SovvAcq6QGPKaB7K7veKAUW7riOaXHRzR6WAxE2t4WlZDmT/9liLPlxT38Mbl2LE
mVRPNvb1IUyWY5SoE4Dl/9ZNMlIReMrT/XVD/Udt5zOlKxica2wSHPIRyBDm5ah9
AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAAkqLZQQGf8cHPqX+MWmMu42sHETv
CSqRvKM1oLcli4OCPF15axLNUAXg7+wSPOLfUkznkqukSs+ZZKoKex232ZesrDRn
IG1kkVrYRWAO6kgHHTnQJx0HOawny1OObfIlkbq/PSiprlPK5OfjyTgjK4oIDqIy
50Vifqv2akgW4/HirgUe54dILuXRlntFJtDXyanMHcRhg/Vy+I7hfIbimuBoIWuF
Z/ULNcj25+/m0VjAYNJ4gkV/TgIcWhmRLvq7AFeFo3tmEsmrbnXJnBnt1RCpAOY4
CF3T5etAsG+6JfQ/erY3Kh6sGK5XOvLSQ6SautW8DzSGCV8XKv9jQYlbM/4c3HwX
4vzIxYueW+u2MlfJZcYfkr8RK9bmk4mJCa63AK3VgRtQK21IJqNOR9lgiP202b+T
9o8CmT+rxAnEZHIr9j2nDjPlaR63lAWpSKsS/HxXr6wh2JS/34+YuhbvZlSrxYoR
D8Ta3fZYkIX7aCEziSNqRgZgz+VGroxrQCjdvTYRzr2G6LUVrr0D4dUJnBt1DhZO
klV+pv2tFl5q9szTuu0dkLNyPYFOTjCTD3GxpsuMwmONMAzsMUT+ouLVoklmXxim
Ah3ZrRv4O/hnjRZM0+tV498b4G8ZZmyp80K1CTQwLJNewpk9n2I2K7RVGFtyXa9M
irfOVbUQKaBTrqg=
-----END CERTIFICATE REQUEST-----
If my goal was only to verify integrity of a PEM file on two machines I could just use e.g. sha256sum csr.pem value but I'd like to get the same fingerprint as Puppet does
The general notion of the fingerprint/thumbprint of a certificate is a digest of the DER-encoded (binary) representation of the certificate. You can do this with the openssl x509 command directly... or indirectly:
$ openssl x509 -in test.cer -noout -sha256 -fingerprint
SHA256 Fingerprint=3E:A9:CB:54:36:DB:CF:23:50:D1:6B:D8:06:25:DC:0E:37:23:3E:A7:50:A5:D1:F3:05:0F:26:33:4E:F8:66:7C
$ openssl x509 -in test.cer -outform der | sha256sum
3ea9cb5436dbcf2350d16bd80625dc0e37233ea750a5d1f3050f26334ef8667c -
So the algorithm shouldn't require any private keys on input.
That is correct.
One of my failed attempts:
testbox:~# openssl x509 -fingerprint -in /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem
Because the fingerprint/thumbprint is the digest of the signed certificate, it cannot be determined from the request. (The certificate has its validity information, the CA identifier, and the CA's signature... and probably extensions not present in the request.)
If you're trying to match a certificate to a certificate request, the only thing they're really guaranteed to have in common is the public key. If the -pubkey outputs match they're the same.
$ openssl req -in test.csr -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBJDANBgkqhkiG9w0BAQEFAAOCAREAMIIBDAKCAQEAr4HBy9ggP2JKU57WYIF1
NyOTooN9SJDkihne02lzEVYglo1r4NPao4qnd74C7gtrk7ck6NzBK2MrT6gLvJJb
zmJPTKfMYGMGs5QD4oyTLSTdVG/+TvajfxB3CyIV6oy7W/Qn6MTYm3nrM4N1EAxf
g+Vd6bRGbd++7kJTmu8z7xh7d2DDsaGyEDwtgURWSgwQOaCchc9rWXTrUW/I1mI8
lK46WguztMeSlX1DI5FWbPPipSr7DBQrngaBuJcmca8rgt05Cjm5Oc9xlWhofkmQ
pjBQyndo3NazeIQvGP2x9tn/CWuve+uY3Pkw1m/P1QP1jUG/9GIS4k46/EXqQr2I
RwIFAgAABEE=
-----END PUBLIC KEY-----
$ openssl x509 -in test.cer -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBJDANBgkqhkiG9w0BAQEFAAOCAREAMIIBDAKCAQEAr4HBy9ggP2JKU57WYIF1
NyOTooN9SJDkihne02lzEVYglo1r4NPao4qnd74C7gtrk7ck6NzBK2MrT6gLvJJb
zmJPTKfMYGMGs5QD4oyTLSTdVG/+TvajfxB3CyIV6oy7W/Qn6MTYm3nrM4N1EAxf
g+Vd6bRGbd++7kJTmu8z7xh7d2DDsaGyEDwtgURWSgwQOaCchc9rWXTrUW/I1mI8
lK46WguztMeSlX1DI5FWbPPipSr7DBQrngaBuJcmca8rgt05Cjm5Oc9xlWhofkmQ
pjBQyndo3NazeIQvGP2x9tn/CWuve+uY3Pkw1m/P1QP1jUG/9GIS4k46/EXqQr2I
RwIFAgAABEE=
-----END PUBLIC KEY-----
While I don't have an example offhand, just because they don't match doesn't mean they're different. This is because some algorithms, such as RSA, there are multiple different legal encodings for the key in SubjectPublicKeyInfo and the CA could re-normalize when signing the certificate.
For RSA you could open it with the openssl rsa command and then let OpenSSL re-normalize it (when writing it back out it won't remember which of the two representations were used)
$ openssl req -in test.csr -pubkey -noout | openssl rsa -pubin -outform der | sha256sum
writing RSA key
3305c9f5c37cb13c152d087eea65ce1af3f0f846b309cb0426f1f42ae5fcbae0 -
$ openssl x509 -in test.cer -pubkey -noout | openssl rsa -pubin -outform der | sha256sum
writing RSA key
3305c9f5c37cb13c152d087eea65ce1af3f0f846b309cb0426f1f42ae5fcbae0 -
IMHO, the answer of bartonjs didn't really answer woky's original question:
I've a certificate request (see bottom) of which I'd like get fingerprint preferably from command-line (Unix). [...] I'd like to get the same fingerprint as Puppet does
So the question was, how to get the same fingerprint of the CSR as puppet does internally.
This command should do the "magic" generating the same fingerprint.
openssl req -in /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem -outform der | sha256sum | awk '{ print $1 }' | sed 's/\(..\)/\1:/g; s/:$//; s/./\U&/g;'
awk limits output to the sha256 string and sed re-formats the string (insert colons, all letters capital, remove ending colon). This will give you a representation of the CSR fingerprint how puppet outputs it.
Note: I haven't been able to generate the same fingerprint as woky provided in his initial question using his CSR. But I'm able to reconstruct a correct fingerprint with any CSR I generate my self, so I'd guess woky's CSR doesn't match the fingerprint provided in the question.
This is an modification of lars answer:
openssl req -in ./kontrollant.ca.csr.pem -outform DER|openssl dgst -sha256 -c
Though this gives the checksum in lower case, so awk or tr is possibilities
openssl req -in ./kontrollant.ca.csr.pem -outform DER|openssl dgst -sha256 -c|tr '[:lower:]' '[:upper:]'
Would be how i now would do this (i use the '-c' argument to openssl dgst's sha256)
Another method could be:
openssl req -in ./kontrollant.ca.csr.pem -outform DER|openssl dgst -sha256|awk '{ gsub(/../,"&:", $2); gsub(/:$/,"", $2); print upper($2) }'
I'm trying to convert a JKS cert to PKCS8 for Logstash v5.1.
I found an example here: https://stackoverflow.com/a/656559
keytool -importkeystore -srckeystore foo.jks -destkeystore foo.p12 /
-srcstoretype jks -deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem
openssl pkcs12 -in foo.p12 -nocerts -out key.pem
openssl pkcs8 -in key.pem -topk8 -out p8key.pem
But it produces the following error when attempting to run logstash:
ERROR logstash.inputs.beats - Looks like you either have an invalid key or your private key was not in PKCS8 format.
{:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /ELK/logstash/SSL/p8key.pem}
I also tried to convert to pkcs8 with the -nocrypt flag, and receive this error:
ERROR org.logstash.beats.BeatsHandler - Exception: not an SSL/TLS record
The cause of this error:
ERROR logstash.inputs.beats - Looks like you either have an invalid key or your private key was not in PKCS8 format.
{:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /ELK/logstash/SSL/p8key.pem}
is because ssl_key_passphrase => "password" was not set in the logstash input.
And this error:
ERROR org.logstash.beats.BeatsHandler - Exception: not an SSL/TLS record
is because non-SSL/TLS traffic was attempting to go through the SSL/TLS port. In this case, the culprit was filebeat.
https://www.elastic.co/guide/en/x-pack/current/security-troubleshooting.html
I have 2 files - CSR.csr and newkey.key, both seem to be in PEM format as follows -
-----BEGIN CERTIFICATE REQUEST-----
MIID....
-----END CERTIFICATE REQUEST-----
-----BEGIN RSA PRIVATE KEY-----
MI...
-----END RSA PRIVATE KEY-----
When I'm trying to read the CSR.csr file, I get the following error :
$ openssl x509 -in CSR.csr -text -noout
unable to load certificate
140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
I read that we get this error when the input file is in DER format, so I tried the following -
$ openssl x509 -inform DER -in CSR.csr -text -noout
but now I get the error -
unable to load certificate
140519053051720:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
140519053051720:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509
And it seems this error occurs when the input file is already in PEM format and one tries to read it in DER format.
Really confused how to go about it as I'm new to SSL. Please help!
In my case I was trying to read my cer file and was receiving the error stated above
openssl x509 -in CSR.csr -text -noout
unable to load certificate
140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
I had to convert it to a crt file using openssl.
openssl x509 -inform DER -in <certname>.cer -out <certname>.crt
openssl x509 -in <certname>.crt -text
Here's the doc i used. I was able to read it using openssl after that
The problem is not PEM vs. DER but that you are using a certificate request in a place where a certificate is expected. This is clearly shown by the PEM header -----BEGIN CERTIFICATE REQUEST-----.
To show the content of a certificate request use
openssl req -in CSR.csr -text
To show the content of a certificate use
openssl x509 -in CERT.crt -text
This ERROR also happens on certificates that are not "certificate request" emmited to be signed by a CA (non-CSR certificate) but which are x509 regular certificates from Windows PKI in ".cer" format
In this case, following "Norbert" answer is the good way to solve the problem, converting the certificate in ".crt'
After the file is able to be dumped using:
openssl x509 -in YOURCERT.crt -noout -text
or
openssl x509 -in YOURCERT.crt -text
I have a SSL certificate. I want to check if the certificate is intact or corrupted. Are there any tool to check this?
Problem is we are unable to get this certificate working in Websphere 8.0 and I was thinking if this cert file could be corrupted.
Yes, you can check a certificate with openssl (available for windows and *nix).
openssl x509 -in certificate.crt -text -noout
Reference
Update
To be more precise, you can compare the modulus and public exponent of the key and certificate respectively to guarantee that certificate matches the key and that the certificate has not been corrupted.
openssl rsa -noout -modulus -in server.key.pem | openssl sha1;\
openssl x509 -noout -modulus -in server.crt | openssl sha1
Valid output would look like
7298b69426656f7a8ab3ef9686bc0a79588850e7
7298b69426656f7a8ab3ef9686bc0a79588850e7
After hand modifying the cert the output would be.
7298b69426656f7a8ab3ef9686bc0a79588850e7
bd439a18d2d3689470e209dbd45b85a41db7230c
The command
openssl x509 -in certificate.crt -text -noout
is used for verifying certificate chains but not checking for corruption. A hand modified certificate could return valid looking output but a problem with the RSA Public Key: (4096 bit) Modulus (4096 bit): part would only be detectable with the above check.
Another Reference
I am signing packets in some Java code and I want to verify the signatures on a C server. I want to fork openssl for this purpose (can always use library functions later... when I know openssl can verify the signatures); however, it's failing to do so:
openssl dgst -verify cert.pem -signature file.sha1 file.data
all it says is "unable to load key file"
The certificate says:
openssl verify cert.pem
cert.pem: /C=....
error 20 at 0 depth lookup:unable to get local issuer certificate
However, I specifically don't care about verifying the certificate, I want only to verify the signature for a given file!
The output of openssl x509 -in cert.pem -noout -text is:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
...
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=...
Validity
Not Before: Feb 1 15:22:44 2010 GMT
Not After : Jun 19 15:22:44 2037 GMT
Subject: C=...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:cc:cc:f9:c7:3a:00:0f:07:90:55:d9:fb:a9:fe:
...
32:cc:ee:7f:f2:01:c7:35:d2:b5:9b:35:dd:69:76:
00:a9
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
39:d6:2c:6b:6a:00:74:b5:81:c2:b8:60:d6:6b:54:11:41:8d:
...
8f:3e:3f:5d:b3:f8:dd:5e
openssl dgst -verify foo.pem expects that foo.pem contains the "raw" public key in PEM format. The raw format is an encoding of a SubjectPublicKeyInfo structure, which can be found within a certificate; but openssl dgst cannot process a complete certificate in one go.
You must first extract the public key from the certificate:
openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
then use the key to verify the signature:
openssl dgst -verify pubkey.pem -signature sigfile datafile