When creating public-private key pair and certificate, usually we see that the certificate looks like this:
-----BEGIN CERTIFICATE-----
XXX
XXX
...
XXX
-----END CERTIFICATE-----
If I understand correctly, the certificate should contain a lot of information like issuer, time, algorithm, public key, etc.
Can anybody tell me how we can a browser decode this certificate?
Most programming languages will have functions to do this, or you can use the OpenSSL command line utility.
For example, in PHP, you could use the openssl_x509_parse() function,
Here's a list of OpenSSL commands for getting certificate info. Most programming languages let you call system commands like openssl.
Here's the linked info incase the page is removed:
# Using the -text option will give you the full breadth of information.
openssl x509 -text -in cert.pem
# who issued the cert?
openssl x509 -noout -in cert.pem -issuer
# to whom was it issued?
openssl x509 -noout -in cert.pem -subject
# for what dates is it valid?
openssl x509 -noout -in cert.pem -dates
# the above, all at once
openssl x509 -noout -in cert.pem -issuer -subject -dates
# what is its hash value?
openssl x509 -noout -in cert.pem -hash
# what is its MD5 fingerprint?
openssl x509 -noout -in cert.pem -fingerprint
And here is the output of the -text full info option when run on the PayPal API public key:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=Mountain View, O=PayPal Inc., OU=live_certs, CN=live_api/emailAddress=re#paypal.com
Validity
Not Before: Feb 13 10:13:15 2004 GMT
Not After : Feb 13 10:13:15 2035 GMT
Subject: C=US, ST=CA, L=Mountain View, O=PayPal Inc., OU=live_certs, CN=live_api/emailAddress=re#paypal.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c1:47:4e:dd:fc:44:cc:4b:5c:9c:8e:d9:29:92:
f8:d7:65:ef:64:fb:a0:a2:78:bb:8b:b0:fb:a6:b0:
9e:d0:0b:5a:1d:37:3d:ec:26:20:9b:b3:6c:02:d2:
72:c4:d2:e2:c6:68:4b:57:ca:72:20:46:a2:1d:75:
80:87:c7:cf:29:6f:91:d3:5e:fe:12:65:eb:af:d1:
1a:aa:e3:e6:b1:5b:d3:cb:00:00:13:53:cc:34:e2:
aa:a3:69:25:e0:6c:62:cf:dc:d9:a8:86:a3:3a:6d:
5f:64:65:9c:19:2d:1f:e4:94:36:90:1a:8d:6e:f6:
e0:db:f6:5a:f8:62:7f:ab:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
96:9F:7C:BB:C6:6F:17:BD:59:3F:52:D7:0A:1B:EC:10:D6:64:94:6B
X509v3 Authority Key Identifier:
keyid:96:9F:7C:BB:C6:6F:17:BD:59:3F:52:D7:0A:1B:EC:10:D6:64:94:6B
DirName:/C=US/ST=CA/L=Mountain View/O=PayPal Inc./OU=live_certs/CN=live_api/emailAddress=re#paypal.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
81:5f:3a:56:9a:80:5a:e5:ef:5f:a3:ab:a3:8a:89:d6:d6:15:
21:3e:43:81:6a:44:eb:dd:80:83:8d:b6:1f:bc:91:22:bf:fd:
8f:f8:8a:1b:84:e1:89:af:ce:7e:5c:78:4d:d2:fe:20:52:41:
03:23:ca:f6:fe:b3:64:d6:6d:06:03:c1:ca:75:db:d3:8f:21:
b0:fd:7a:97:6b:e2:d2:4e:50:d8:92:a2:3c:3b:04:7c:18:46:
23:e1:e7:c4:b5:c4:69:45:80:71:57:c2:b1:01:6f:77:60:35:
b3:14:6b:eb:b8:a9:e7:2d:b0:c0:17:a5:51:e7:0f:dc:08:c9:
f9:87
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQ
YXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9h
cGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20wHhcNMDQwMjEzMTAxMzE1
WhcNMzUwMjEzMTAxMzE1WjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
FAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEG
A1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0B
CQEWDXJlQHBheXBhbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMFH
Tt38RMxLXJyO2SmS+Ndl72T7oKJ4u4uw+6awntALWh03PewmIJuzbALScsTS4sZo
S1fKciBGoh11gIfHzylvkdNe/hJl66/RGqrj5rFb08sAABNTzDTiqqNpJeBsYs/c
2aiGozptX2RlnBktH+SUNpAajW724Nv2Wvhif6sFAgMBAAGjge4wgeswHQYDVR0O
BBYEFJaffLvGbxe9WT9S1wob7BDWZJRrMIG7BgNVHSMEgbMwgbCAFJaffLvGbxe9
WT9S1wob7BDWZJRroYGUpIGRMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
FjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMw
EQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3
DQEJARYNcmVAcGF5cGFsLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BQUAA4GBAIFfOlaagFrl71+jq6OKidbWFSE+Q4FqROvdgIONth+8kSK//Y/4ihuE
4Ymvzn5ceE3S/iBSQQMjyvb+s2TWbQYDwcp129OPIbD9epdr4tJOUNiSojw7BHwY
RiPh58S1xGlFgHFXwrEBb3dgNbMUa+u4qectsMAXpVHnD9wIyfmH
-----END CERTIFICATE-----
To answer my own question: It is just a Base64 encoding.
Related
I'm trying to import a certificate into AWS, the problem is my private key is not in pem format. I'd rather not have to create a new certificate as I've already had a CA sign mine. I've generated the key using this following command
keytool -genkey -alias info -keyalg RSA -keysize 2048 -keystore info
Which leaves me with a private key in binary format named info. I'm able to use this command to convert the private key into base64 I believe.
openssl rsa -inform DER -outform PEM -in info -out info.pem
The header and footer are missing
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Which I append to their appropriate locations. Now when I'm attempt to upload my cert, it fails because the private key is not in pem format. AS per other questions regarding binary to pem format, I've tried this command.
openssl rsa -inform der -in info -outform pem -out info.pem
which results in this error "unable to load Private Key
140594255303104:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../crypto/asn1/asn1_lib.c:101:"
How should go about converting a binary key generated from keytool into pem format?
I was able to convert it from jks to pem using these following commands.
keytool -importkeystore -srckeystore info -destkeystore info.p12 -srcalias info -srcstoretype jks -deststoretype pkcs12
openssl pkcs12 -in info.p12 -out info.pem
I have created private key and public key using below commands,
openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
Seems like both are in different format.
I need to convert rsa privatekey.pem to x509 format.
Is there any way i can do that?
Probably, you meant a conversion of the RSA private key to the PKCS8 format.
From starting with:
-----BEGIN RSA PRIVATE KEY-----
To:
-----BEGIN PRIVATE KEY-----
If so, use the following command:
openssl pkcs8 -topk8 -in rsa.private.key -out pkcs8.private.key -nocrypt
I'm configuring an Apache server for SSL, and in particular have generated a fresh CA key and certificate file. Here's the command I used to create the certificate:
>openssl req -config openssl.cnf -key private/CA.key -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/CA.pem
When I check the dates in the CA.pem file, here's what I see:
>openssl x509 -dates -noout -in certs/CA.pem
notBefore=Feb 16 04:48:07 2018 GMT
notAfter=Jan 5 22:19:51 1902 GMT
Does this look right? I would have expected notAfter to be a later date than notBefore, and I have no idea why notAfter is set to a date in 1902.
Thanks for any help, Martin
well i have tried the below
openssl x509 -req -in <cert_name>.csr -signkey <key_name>.key -out output.crt
but seems to throw an error
140735226307408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
Any solutions?
The source of the problem is the form of your CSR : While working with X509, your data can be store using 2 forms : DER and PEM.
By default openssl assumes you are using PEM.
In your case, you should first convert the CSR in PEM format :
openssl req -inform DER -in <cert_name>.csr -out <cert_name>.pem
And then
openssl x509 -req -in <cert_name>.pem -signkey <key_name>.key -out output.crt
I have a public key, a 192 bit hash, and a 384 bit signature, all as .txt hex files, and the curve is prime192v1.
What command lines can I use to verify the message with OpenSSL?
For reference, the EC key can be created with the following command:
Create the EC key:
$ openssl ecparam -genkey -name prime192v1 > key.pem
Extract the public key:
$ openssl ec -in key.pem -pubout > pub.pem
Signing the hash of a message and verifying the signature with an EC key can be done the same way as with other key types:
Calculate the hash (use a hash funtion of your choice):
$ openssl dgst -sha256 -binary message.txt > hash.txt
Sign the hash with the private key:
$ openssl pkeyutl -sign -inkey key.pem -in hash.txt > sig.txt
Verify the signature with the public key:
$ openssl pkeyutl -verify -in hash.txt -sigfile sig.txt -inkey key.pem
Signature Verified Successfully