Categories:
Android (13)
Apple Mac (27)
DH Keys (39)
DSA Keys (71)
EC Keys (1856)
Firefox (30)
General (10)
Google Chrome (25)
Intermediate CA (152)
Java VM (29)
JDK Keytool (28)
Microsoft CertUtil (29)
Microsoft Edge (9)
Mozilla CertUtil (21)
OpenSSL (236)
Other (7)
Portecle (38)
Publishers (5388)
Revoked Certificates (16)
Root CA (85)
RSA Keys (4399)
Tools (46)
Tutorial (1)
What Is (22)
Windows (127)
Collections:
Other Resources:
OpenSSL "x509 -pubout" - Export Public Key"
How to calculate the subject key identifier of a certificate uisng OpenSSL commands? I want to see if it matches the "X509v3 Subject Key Identifier" in the certificate.
✍: FYIcenter.com
Accoding to the RFC5280 -
Internet X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", the Subject Key Identifier
is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits).
You can follow this definition and use OpenSSL commands to calculate the Subject Key Identifier from a certificate as shown in the test below:
C:\Users\fyicenter>\local\OpenSSL\openssl OpenSSL> x509 -pubkey -in twitter.crt -noout > twitter_pub.key OpenSSL> asn1parse -in twitter_pub.key 0:d=0 hl=4 l= 290 cons: SEQUENCE 4:d=1 hl=2 l= 13 cons: SEQUENCE 6:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption 17:d=2 hl=2 l= 0 prim: NULL 19:d=1 hl=4 l= 271 prim: BIT STRING OpenSSL> asn1parse -strparse 19 -in twitter_pub.key -out twitter_pub_key.bit 0:d=0 hl=4 l= 266 cons: SEQUENCE 4:d=1 hl=4 l= 257 prim: INTEGER :C20898FA67000555B60B610E1AD7B58A C1CC03BE3C17FB94F7D9FA4C9F46609C6AAD7D3AE5345A12B0B20BAAEC96E158812FAD60AB479369 E3847553C1F90FB946AB9EEAAB18988C6854085165431A6197275C5E0F15E9CD16ABDD515B762FFC D311999DD2A63D870275E62496E2043E149CFA7EB871423700B5B08AE233958BDA3FFB634D3762D5 1C02EA307EDC0D53D5D40BB8A310136D1F89940B6A9444672982ADE6D5B052FC955706D6D1226684 D3922A02C79456DF553FC213F27C167833A153F777975CB79605D544F4BFEF83225D7AE68FE4ACDF 349EB60F0A53F01ADB71376992F614A91C7565724524093B2C6AD7B969A5DCDF6D9C6BFCC6A25B31 265:d=1 hl=2 l= 3 prim: INTEGER :010001 OpenSSL> dgst -sha1 twitter_pub_key.bit SHA1(twitter_pub_key.bit)= 9f627bb2880eee1b79e06924e5ba3f47a60b02f0 OpenSSL> x509 -text -in twitter.crt -noout ... X509v3 Subject Key Identifier: 9F:62:7B:B2:88:0E:EE:1B:79:E0:69:24:E5:BA:3F:47:A6:0B:02:F0 ...
Notes about the test:
Note that not all certificates stores the Subject Key Identifier value.
2016-10-17, 7529👍, 0💬
Popular Posts:
Do you have trouble generating a self-signed certificate or a Certificate Signing Request (CSR)? Do ...
Why I am getting the "wrong signature length" error when running the OpenSSL "req -verify" command? ...
Certificate summary - Owner: *.adcash.com, Domain Control Validated - RapidSSL(R), See www.rapidssl....
How to view contents of a EC public key file using OpenSSL "pkey" command? If you want to view conte...
Certificate summary - Owner: GeoTrust Primary Certification Authority, GeoTrust Inc., US Issuer: Equ...