Digital CertificatesDigital certificates are used to carry the public/private key (which is kept secret). They are typically used to store the key pair, or, once the private key is stripped-off, they are used to authenticate an entity (by gaining access to the public key). The typical formats are IKE; - PKCS #; - PKCS #10; and X.509v3 certificates. To load the certificate press the button. The results are then:
|
Extracting files
The commands used to download the certificates is:
openssl s_client -connect google.com:443 -showcerts < /dev/null | openssl x509 -outform pem > google.pem openssl x509 -inform PEM -in google.pem -outform DER -out google.cer openssl s_client -connect microsoft.com:443 -showcerts < /dev/null | openssl x509 -outform pem > microsoft.pem openssl x509 -inform PEM -in microsoft.pem -outform DER -out microsoft.cer openssl s_client -connect intel.com:443 -showcerts < /dev/null | openssl x509 -outform pem > intel.pem openssl x509 -inform PEM -in intel.pem -outform DER -out intel.cer openssl s_client -connect microsoft.com:443 -showcerts < /dev/null | openssl x509 -outform pem > microsoft.pem openssl x509 -inform PEM -in microsoft.pem -outform DER -out microsoft.cer openssl s_client -connect oracle.com:443 -showcerts < /dev/null | openssl x509 -outform pem > oracle.pem openssl x509 -inform PEM -in oracle.pem -outform DER -out oracle.cer
That most of the public keys defined are created with the DER format, and which start with "30", such as:
3082010A0282010100C402A7679C25031E437A69ADB557D488DE706CE7FDDE4B1815012F6BD5E3F99D610E4BE2CF29381FA085349FE1356BD80F5D09870EEF625DEBF99B9836913A752927427B624D07AE3CDE222F73B931C8C327C5FBCA4F442CAE57730C778964BE8FA05626BBB54A94B2D08B61713CF4249B8279AA5CD4941ED186B723D8488CCF54F9D4189CE174D754E32C463D7EFC144B77CC0316A2686BC7E35B5C8929189C5DC42EADA955DF1526B9B086DE1CB591EBF68BB2E6C27DD8C6AF6E72CC84E98B3534B02443DB2CCF37CB03A87F5610189BDAE1ACCBB3DDB89AD86D3C396F3D935229A361BD46A25171616484B4A63B27D71FBF3A775202DC5E906F53556980690203010001
If we parse the DER format we get [here]:
==Sequence== Integer (02): 0xc402a7679c25031e437a69adb557d488de706ce7fdde4b1815012f6bd5e3f99d610e4be2cf29381fa085349fe1356bd80f5d09870eef625debf99b9836913a752927427b624d07ae3cde222f73b931c8c327c5fbca4f442cae57730c778964be8fa05626bbb54a94b2d08b61713cf4249b8279aa5cd4941ed186b723d8488ccf54f9d4189ce174d754e32c463d7efc144b77cc0316a2686bc7e35b5c8929189c5dc42eada955df1526b9b086de1cb591ebf68bb2e6c27dd8c6af6e72cc84e98b3534b02443db2ccf37cb03a87f5610189bdae1accbb3ddb89ad86d3c396f3d935229a361bd46a25171616484b4a63b27d71fbf3a775202dc5e906f5355698069 Integer (02): 0x10001
and where the first integer is the public modulus (N) and the second is the public exponent (e).
This is for RSA keys. For an ECC key, as used by Google, we get:
04EDD50D3BB14445E7657A53C01227424F808C3212B2F00F7E96527B8764353C30268DB6B10EC8FA3DCD5953B6D4F1EA551043B7E6F4F3312803415C5DC2E06F17
This is a pure uncompressed elliptic curve point.
Self signed certificate
The certificate is self-signed (for testing) using: [Abylon]
These are exchanged at the start of a conversion to authenticate each device. A key factor to integrated security is the usage of digital certificates. These are an excellent way of distributing the public key of the owner. The file used is typically in the form of X.509 certificate files. The standard output is in a binary format, but a base-64 conversion can be used, such as for the following:
-----BEGIN CERTIFICATE-----
MIICpDCCAg2gAwIBAgIDcClYMA0GCSqGSIb3DQEBBQUAMIGDMQswCQYDVQQGEwJH QjEQMA4GA1UECBMHTG90aGlhbjESMBAGA1UEBxMJRWRpbmJ1cmdoMRAwDgYDVQQK
EwdOb3doZXJlMRgwFgYJKoZIhvcNAQkBFglmcmVkQGhvbWUxDTALBgNVBAsTBE5v bmUxEzARBgNVBAMTCkZyZWQgU21pdGgwHhcNMDgwNDI0MjAxODQyWhcNMTAwNDI0
MjAxODQyWjCBgzELMAkGA1UEBhMCR0IxEDAOBgNVBAgTB0xvdGhpYW4xEjAQBgNV BAcTCUVkaW5idXJnaDEQMA4GA1UEChMHTm93aGVyZTEYMBYGCSqGSIb3DQEJARYJ
ZnJlZEBob21lMQ0wCwYDVQQLEwROb25lMRMwEQYDVQQDEwpGcmVkIFNtaXRoMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKYvs5qaYqeNsUT2r44YyQvKiX9XQu
yyeQI/P4gF7lpnNSpPhZwQ7iGFSiztjU1XmYwLd7arQV6BdI0jpW6j2d7PI1KqWI d+u63mXcAibMDNFuwpusB+C4vJTm/h4wd6q3rwUc5k+U6iz65lvhzXbXGBpyvU1+
RpqPerAU9eXx4QIDAQABoyQwIjAgBglghkgBhvhCAQwEExYRd3d3LmFieWxvbnNv ZnQuZGUwDQYJKoZIhvcNAQEFBQADgYEAr+G3z6hmMkoiiTHjBVqJJYefrUAb7Dty
tOciUWJY2e0wipderAZ/0TFeIM73V3XsgItp/quwTcSn2UMVJv31iSarvyMK/eEK ldot4LL4kSFe0BZonlPlKmlbCl4C5nmlR+3VwCZquw9Jtuw/syHy6fKt8KbkDnnm
YxiXa6psvaQ=
-----END CERTIFICATE-----
Details
The CER file format is useful in importing and exporting single certificates, while other formats such as the Cryptographic Message Syntax Standard – PCKS #7 Certificates (.P7B), and Personal Information Exchange – PKCS #12 (.PFX, .P12) can be used to transfer more than one certificate. The main information for a distributable certificate will thus be:
• The entity’s public key (Public key).
• The issuer’s name (Issuer).
• The serial number (Serial number).
• Start date of certificate (Valid from).
• End date of certificate (Valid to).
• The subject (Subject).
• CRL Distribution Points (CRL Distribution Points).
• Authority Information (Authority Information Access). This will be shown when the recipient is prompted to access the certificate, or not.
• Thumbprint algorithm (Thumbprint algorithm). This might be MD5, SHA1, and so on.
• Thumbprint (Thumbprint).
Code used
public void showCer(string f) { X509Certificate cer; cer = X509Certificate.CreateFromCertFile(f); hash1 = cer.GetSerialNumberString(); hash2 = cer.GetEffectiveDateString(); hash3 = cer.Subject; hash4 = cer.GetPublicKeyString(); hash5 = cer.GetKeyAlgorithm(); hash6 = cer.Issuer; StreamReader re; try { re = File.OpenText( f); } catch (Exception exc) { re = File.OpenText("c:\\fred.cer"); } string input = null, str = ""; while ((input = re.ReadLine()) != null) { str += input + "\r\n"; } hash7 = str; }