[go: up one dir, main page]
Menu

#97 Thumbprint Publickey

Next_Release_(example)
open
nobody
thumbprint (1) publickey (1)
5
2019-03-11
2018-02-22
Daniel
No

Dear Christian,

Thanks for this excelent tool. I need the possiblitiy for public key pinning checks to show the thumbprint of the public key.

openssl x509 -in certificate.crt -pubkey -noout
openssl req -in signing-request.csr -pubkey -noout
openssl rsa -in rsa-key-file.key -pubout

If you could add this functionality this would be great!

Best Regards
silv3r23

Discussion

  • Christian Hohnstaedt

    Christian Hohnstaedt - 2018-02-22

    Certificates and requests allow to "Transform->public key" in the comtext menu
    (I wanted to link to the documentation, but this is poorly documented. Will fix it)
    "Transform->public key" Will take the public key and create a new item in the "Private Keys" tab.
    If the option is greyed out then there is already a matching key in the "Private keys" tab.

    And the keys (public (transformed from the CSR or certificate) as well as private) allow to "Export -> Clipboard or File" and select "PEM public"

    Which is exactly what the commands mentioned by you above will print.

    XCA can do more for you:

    If you only want to check that "certificate.crt", "signing-request.csr" and "rsa-key-file.key" are using the same key, it is even more simple:
    * Import all of them into XCA. (simply drag and drop all 3 files at once onto XCA)
    * Give the key a good name in the private keys tab (or transform it from the cert or request if the rsa-key-file.key is not at hand.)
    * Double click the request and certificate and both will show the key name in the details dialog.
    * The key will show a use counter of 2 (if the cert and req are the only items using this key)

    To find all items using the same public key you may show the "Key name" column in the certificate and CSR Tab by right clicking the table header and select "Key name" in the context menu. clicking that column will sort the csr/certificate list by the key name. (Selecting "Plain View" for the certificates is helpful to see all certs)
    If the key name for a csr is empty you may (you guessed it already) transform it from the CSR/cert)

    For fingerprinting the Modulus (in case of RSA keys) can be used. Just double click the key and copy/compare the modulus.

    This is what you asked for, right?

     

  • Daniel

    Daniel - 2018-02-26

    Hello Christian,

    thanks for your quick anwer! I checked this and your steps are correct.
    My wish is, that I could quick verfiy if an certificate has been renewed with the same private key and CSR that the Public Key matches. Actually I can only see, if the private key is the same, but when someone used a new CSR the public key will not match and XCA wont show me this before I would delete the private key and transform a public key from the certificate? I didnt find a way to display which CSR has been used. A small info like the Fingerprints would be wonderful in a next release, which shows a hash of the public key.

    Regards,
    silv3r23

     

  • Ralf Hauser

    Ralf Hauser - 2019-03-11

    Hi Christian,
    Great that one can work also on the public key without the certificate extra data.
    I would need the SHA256 fingerprint of the public key.
    How can I see that with xca ?

     
    Thumbnail
    xcaPublicKeySha256.png

Log in to post a comment.