[openssl-dev] [openssl.org #3954] Enhancement suggestion: extend x509(1) with -key-fingerprint
Steffen Nurpmeso via RT
rt at openssl.org
Thu Jul 23 12:10:44 UTC 2015
Hello,
for certificates which get renewed -- mine do twice a year, for
example -- the fingerprint changes
?0[tmp]$ openssl x509 -fingerprint -noout < cert.old
SHA1 Fingerprint=00:10:F0:2C:EA:50:1F:11:FE:8D:CC:A0:A9:40:91:A2:D0:4D:65:4E
?0[tmp]$ openssl x509 -fingerprint -noout < cert.crt
SHA1 Fingerprint=77:E3:10:F0:3B:D9:1E:1F:29:B0:83:74:50:29:67:E4:04:B2:53:B1
Of course if you have the CA's certificate you can verify the
validity of the above, but if i change the CA you need to get that
one etc. I may also change to a self-signed CA. Imagine i need
to renew my certificate, switch the CA and use sk_X509_push() to
include the new root certificate that signed my updated
certificate with my .p7s. The receiver will (possibly) get
a verification failure, but if there would be an easy possibility
to verify the fingerprint of the public key he or she would be
able to verify that only the certificate changed, not the key:
?0[tmp]$ openssl x509 -pubkey -noout < cert.old|
> openssl rsa -pubin -outform der|
> openssl sha1
writing RSA key
(stdin)= 0e349338a3baf9f1edf176dd02151939a31ebb79
?0[tmp]$ openssl x509 -pubkey -noout < cert.crt|
> openssl rsa -pubin -outform der|
> openssl sha1
writing RSA key
(stdin)= 0e349338a3baf9f1edf176dd02151939a31ebb79
In the end the key is an authority by itself, no?
--steffen
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list