OpenSSL "x509 -pubout" - Export Public Key"

Q

How to calculate the subject key identifier of a certificate uisng OpenSSL commands? I want to see if it matches the "X509v3 Subject Key Identifier" in the certificate.

✍: FYIcenter.com

A

Accoding to the RFC5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", the Subject Key Identifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).

You can follow this definition and use OpenSSL commands to calculate the Subject Key Identifier from a certificate as shown in the test below:

C:\Users\fyicenter>\local\OpenSSL\openssl

OpenSSL> x509 -pubkey -in twitter.crt -noout > twitter_pub.key

OpenSSL> asn1parse -in twitter_pub.key
    0:d=0  hl=4 l= 290 cons: SEQUENCE
    4:d=1  hl=2 l=  13 cons: SEQUENCE
    6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   17:d=2  hl=2 l=   0 prim: NULL
   19:d=1  hl=4 l= 271 prim: BIT STRING

OpenSSL> asn1parse -strparse 19 -in twitter_pub.key -out twitter_pub_key.bit
    0:d=0  hl=4 l= 266 cons: SEQUENCE
    4:d=1  hl=4 l= 257 prim: INTEGER           :C20898FA67000555B60B610E1AD7B58A
C1CC03BE3C17FB94F7D9FA4C9F46609C6AAD7D3AE5345A12B0B20BAAEC96E158812FAD60AB479369
E3847553C1F90FB946AB9EEAAB18988C6854085165431A6197275C5E0F15E9CD16ABDD515B762FFC
D311999DD2A63D870275E62496E2043E149CFA7EB871423700B5B08AE233958BDA3FFB634D3762D5
1C02EA307EDC0D53D5D40BB8A310136D1F89940B6A9444672982ADE6D5B052FC955706D6D1226684
D3922A02C79456DF553FC213F27C167833A153F777975CB79605D544F4BFEF83225D7AE68FE4ACDF
349EB60F0A53F01ADB71376992F614A91C7565724524093B2C6AD7B969A5DCDF6D9C6BFCC6A25B31
  265:d=1  hl=2 l=   3 prim: INTEGER           :010001

OpenSSL> dgst -sha1 twitter_pub_key.bit
SHA1(twitter_pub_key.bit)= 9f627bb2880eee1b79e06924e5ba3f47a60b02f0

OpenSSL> x509 -text -in twitter.crt -noout
...
            X509v3 Subject Key Identifier:
                9F:62:7B:B2:88:0E:EE:1B:79:E0:69:24:E5:BA:3F:47:A6:0B:02:F0
...

Notes about the test:

"x509 -pubkey ..." command extrats the public key from the certificate.
"asn1parse -in twitter_pub.key" command displays the public key file structure, showing that the "BIT STRING" value of the public key is at 0x19 offset position.
"asn1parse -strparse 19 ..." command extracts the "BIT STRING" value at 0x19 offset position and save it in file.
"dgst -sha1 ..." command gets the SHA-1 hash of the "BIT STRING" value.
"x509 -text ..." command displays details of the certificate including the Subject Key Identifier, which matches the SHA-1 hash from the "dgst -sha1 ..." command.

Note that not all certificates stores the Subject Key Identifier value.

⇒ OpenSSL "verify" Command

⇐ OpenSSL "x509 -pubkey" - Export Public Key"

⇑ OpenSSL "x509" Command

⇑⇑ OpenSSL Tutorials

2016-10-17, 7529👍, 0💬

ASN.1 Field Types Supported by OpenSSL
What are ASN.1 field types supported by the OpenSSL "ans1parse" command? OpenSSL "ans1parse" command supports the following ASN.1 field types: BOOLEAN, BOOL - This encodes a boolean type. The value string is mandatory and should be TRUE or FALSE. Additionally TRUE, true, Y, y, YES, yes, FALSE, false... 2016-10-15, 7620👍, 0💬

OpenSSL "x509 -pubkey" - Export Public Key"
How to export the public key out from a certificate using OpenSSL "x509" command? You can export the public key out from a certificate using OpenSSL "x509 -pubkey" command as shown below: C:\Users\fyicenter>\loc al\OpenSSL\opensslOpenSSL> x509 -in twitter.crt -pubkey -noout > tw... 2016-10-17, 7594👍, 0💬

OpenSSL "x509 -pubout" - Export Public Key"
How to calculate the subject key identifier of a certificate uisng OpenSSL commands? I want to see if it matches the "X509v3 Subject Key Identifier" in the certificate. Accoding to the RFC5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" , the... 2016-10-17, 7530👍, 0💬

OpenSSL "ans1parse -genstr" - Single Primitive Field DER File
How to generate a DER file with a single data field using the OpenSSL "ans1parse" command? You can use the OpenSSL "ans1parse -genstr" command to generate a DER file with a single data field. You just need to specify the field type and field value separated by ":". Here are some examples of using "a... 2016-10-15, 7529👍, 0💬

OpenSSL "ans1parse" Command
Where to find tutorials on using OpenSSL "ans1parse" command? Here is a collection of tutorials on using OpenSSL "ans1parse" command compiled by FYIcenter.com team. OpenSSL "ans1parse" Command Options ASN.1 File Structure Supported by OpenSSL ASN.1 Field Types Supported by OpenSSL OpenSSL "ans1parse... 2016-10-17, 6872👍, 0💬

OpenSSL "ans1parse" Command Options
What can I use OpenSSL "ans1parse" command for? What are options supported by the "ans1parse" command? OpenSSL "ans1parse" command is a diagnostic utility that can parse ASN.1 file structures. It can also be used to extract data from ASN.1 files. Here are options supported by the "ans1parse" command... 2016-10-17, 6712👍, 0💬

RSA 1024-Bit Public Key - BF4D5439EEB4570797F0A6B9897B248F9731D2D0
Key Summary: Type: RSA 1024-Bit Public Key Identifier: BF:4D:54:39:EE:B4:57:07:97:F0: A6:B9:89:7B:24:8F:97:31:D2:D0Name: Equifax Secure Global eBusiness CA-1 Received at FYIcenter.com on: 2016-09-20 2016-09-22, 1546👍, 0💬

RSA 1024-Bit Public Key - 483E29910D4BA1C6AA61E28654E9FF2097B83217
Public Key Summary: Key Identifier: 48:3E:29:91:0D:4B:A1:C6:AA:61: E2:86:54:E9:FF:20:97:B8:32:17Name: Class 1 Public Primary Certification Authority - G2, (c) 1998 VeriSign, Inc. - For authorized use only, VeriSign Trust Network Received at FYIcenter.com on: 2016-09-20 2017-02-24, 1523👍, 1💬

💬 2017-02-24 Wes: 1024-bit keys are not secure any more.

RSA 2048-Bit Public Key - FBA33B6EC137E95605DA491620A39E0AA16287C7
Public Key Summary: Key Identifier: FB:A3:3B:6E:C1:37:E9:56:05:DA: 49:16:20:A3:9E:0A:A1:62:87:C7Name: VeriSign Class 2 Public Primary Certification Authority - G3 Received at FYIcenter.com on: 2016-09-20 2016-09-22, 1124👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.