OpenSSL "x509 -pubout" - Export Public Key"


How to calculate the subject key identifier of a certificate uisng OpenSSL commands? I want to see if it matches the "X509v3 Subject Key Identifier" in the certificate.



Accoding to the RFC5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", the Subject Key Identifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).

You can follow this definition and use OpenSSL commands to calculate the Subject Key Identifier from a certificate as shown in the test below:


OpenSSL> x509 -pubkey -in twitter.crt -noout > twitter_pub.key

OpenSSL> asn1parse -in twitter_pub.key
    0:d=0  hl=4 l= 290 cons: SEQUENCE
    4:d=1  hl=2 l=  13 cons: SEQUENCE
    6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   17:d=2  hl=2 l=   0 prim: NULL
   19:d=1  hl=4 l= 271 prim: BIT STRING

OpenSSL> asn1parse -strparse 19 -in twitter_pub.key -out twitter_pub_key.bit
    0:d=0  hl=4 l= 266 cons: SEQUENCE
    4:d=1  hl=4 l= 257 prim: INTEGER           :C20898FA67000555B60B610E1AD7B58A
  265:d=1  hl=2 l=   3 prim: INTEGER           :010001

OpenSSL> dgst -sha1 twitter_pub_key.bit
SHA1(twitter_pub_key.bit)= 9f627bb2880eee1b79e06924e5ba3f47a60b02f0

OpenSSL> x509 -text -in twitter.crt -noout
            X509v3 Subject Key Identifier:

Notes about the test:

  • "x509 -pubkey ..." command extrats the public key from the certificate.
  • "asn1parse -in twitter_pub.key" command displays the public key file structure, showing that the "BIT STRING" value of the public key is at 0x19 offset position.
  • "asn1parse -strparse 19 ..." command extracts the "BIT STRING" value at 0x19 offset position and save it in file.
  • "dgst -sha1 ..." command gets the SHA-1 hash of the "BIT STRING" value.
  • "x509 -text ..." command displays details of the certificate including the Subject Key Identifier, which matches the SHA-1 hash from the "dgst -sha1 ..." command.

Note that not all certificates stores the Subject Key Identifier value.


OpenSSL "verify" Command

OpenSSL "x509 -pubkey" - Export Public Key"

OpenSSL "x509" Command

⇑⇑ OpenSSL Tutorials

2016-10-17, 5139👍, 0💬