Everything You Ever Wanted to Know About Digital Certificates, But Were Afraid To Ask …
Everything You Ever Wanted to Know About Digital Certificates, But Were Afraid To Ask …
And, so, yesterday, our cybersecurity students covered one of the most important areas of cybersecurity — and perhaps one of the least understood:
Digital certificates and trust
It’s a make-or-break time and is the point that students will actually see how all the component parts of secure and trusted communications actually fit together. But are digital certificates well understood by many cybersecurity professionals and developers?
Overall, digital certificates — and the associated PKI (Public Key Infrastructure) — provide the root of trust on the Internet, and without them, we could trust very little on the Web. So, here’s a quick introduction:
The basics of public key encryption are not too difficult to understand, and where Bob creates a key pair: a public key and a private key. One key will encrypt, and the other will decrypt. And, digital certificates, too, are actually not that difficult to understand.
Basically, if Alice (the client) connects to Bob (the server), then Alice passes her public key to Bob. But, how does Alice know that the public key contained within the digital certificate is a valid one, and is not a fake? Well, for this we have Trent, and who is a trusted entity. Trent has had a key pair: a public key and a private key. He takes Bob’s public key and then checks his identity. If everything is correct about Bob and his public key, then he signs the digital certificate with his private key. This creates a trusted certificate, which has been signed by Trent. This signature is a signed hash of the contents of the certificate.
Now, Alice has Trent’s public key on her system, so check the signature of the certificate with this key. If it is correct, then Alice can accept Bob’s public key. She can then check any messages now that are signed with his private key with the public key that was contained in the trusted digital certificate:
And, so, at the root of PKI is Trent, and where Trent’s public key is installed on Alice’s computer.
PEM and DER
The two main formats that we use are PEM and DER. With PEM we have a text format, and where we see the certificate in a distributable Base64 form. Here is the RBS certificate file in a PEM format:
-----BEGIN CERTIFICATE-----
MIIH0DCCBrigAwIBAgIQVHT4gJNvmNA7T+UCgnUxtTANBgkqhkiG9w0BAQsFADCB
ljELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPDA6BgNV
BAMTM0NPTU9ETyBSU0EgT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gU2VjdXJlIFNl
cnZlciBDQTAeFw0yMjA4MDUwMDAwMDBaFw0yMzA4MjcyMzU5NTlaMGYxCzAJBgNV
BAYTAkdCMRMwEQYDVQQIEwpNaWRsb3RoaWFuMRIwEAYDVQQHEwlFZGluYnVyZ2gx
GjAYBgNVBAoTEU5hdHdlc3QgR3JvdXAgUGxjMRIwEAYDVQQDEwlyYnMuY28udWsw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7Jgv4ikkzEeCLZl/qy3+j
r7muqTRcHE/ko6PU3dGfLZR6WumfcyFxd+Sfs3hxFlni6zdmZiBRx6TZ2oF8gnXK
BohKz05D2Xz6wJKHrph2knitJABQunK8F4ESkRrkz9xuWzAUd7NT+nO2H5Uoimn5
L9fMHCrmjMaZU8YM70niFIwhD0YUV+HI5Qq6tWyGG68XIEEHD8Cg6SWq4U3p5twP
MJSAa5L+ej6Tct/raPD1zCn93YwxPuepp9IX+TTBtWOlI156L0JxZqd71FhzfRM+
CMfGlv83Hfg53x91Wcoa3PEMzs2htjYzhKPR6oCGE6KQUPFy3YMgOu3QtAEIv2yv
AgMBAAGjggRHMIIEQzAfBgNVHSMEGDAWgBSa8yvaz61Pti+7KkhIKhK3G0LBJDAd
BgNVHQ4EFgQU7dGmkxIbvlXXg9BgUxMw9MW7GgQwDgYDVR0PAQH/BAQDAgWgMAwG
A1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEoGA1Ud
IARDMEEwNQYMKwYBBAGyMQECAQMEMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj
dGlnby5jb20vQ1BTMAgGBmeBDAECAjBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8v
Y3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9u
U2VjdXJlU2VydmVyQ0EuY3JsMIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKG
SWh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQU9yZ2FuaXphdGlvblZh
bGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
Y3NwLmNvbW9kb2NhLmNvbTCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHYArfe+
+nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGCbz3jAAAABAMARzBFAiAA
gPnOn71rhOvw+8qmUZbtGd8Ek6I/d2U5Rjt0wgja3gIhAPDuhhggN511vM6uPLg0
z76sMP3nfkfd+CcihcyMZq6gAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6
V6NS61IAAAGCbz3jTAAABAMARzBFAiBl6oRqJu9HJxoyCSllViJrljDw58TWrOkx
gMyNb8S0lgIhAOpwsedxGgIKk2igLU+by8rl3MRkC6SXW2K8ZIBrkn2tAHYA6D7Q
2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4AAAGCbz3i4AAABAMARzBFAiBd
A3jJ7CsYY7g29tS+lMMkv63JaSM87KCrdNvu4CPjcQIhAPD28YsreR5ZCxNUjmzb
NhG3ko+QMoH62QfpzTfCiSohMIIBCgYDVR0RBIIBATCB/oIJcmJzLmNvLnVrghdo
b2x0c21pbGl0YXJ5YmFuay5jby51a4IaaG9sdHNtaWxpdGFyeWJhbmtpbmcuY28u
dWuCGGhvbHRzbWlsaXRhcnliYW5raW5nLmNvbYIKbWludC5jby51a4ILcmJzaWYu
Y28udWuCG3d3dy5ob2x0c21pbGl0YXJ5YmFuay5jby51a4Ied3d3LmhvbHRzbWls
aXRhcnliYW5raW5nLmNvLnVrghx3d3cuaG9sdHNtaWxpdGFyeWJhbmtpbmcuY29t
gg53d3cubWludC5jby51a4INd3d3LnJicy5jby51a4IPd3d3LnJic2lmLmNvLnVr
MA0GCSqGSIb3DQEBCwUAA4IBAQCb2/oGkXfOZus1ECBNQli4EnNW+zJWhSjrKHZU
Wn8dz3skwSiJenLaCqdcx2Mejk55SIMryZn+rrwa/jlsVrY0NbJOGXIFccojOY+O
E9xd/hALTNSs5UUYPMje1hpklJIJiiv7O0lf65qJQaNzW7vDJl8Y3QJC2PNPpW2l
immaWqFdW6xuI1vzzplWnKJ4WEMmP1DQYg0FanW9P0YTTnZJOF27zYf/2v4ctYr3
enGsbVWVUMRPzQ/O1gRpkuOkgR2uoZ10M589j2f9aYcVjN6Q85kPzIZxfjh15HBI
xctPdiUjRtWvxXZ/i3xAtQgnyIE/rTMZrBRf4kLUBAJBZeRa
-----END CERTIFICATE-----We can then convert this to a DER (Distinguished Encoding Rules) format with [here]:
00000000: 3082 07d0 3082 06b8 a003 0201 0202 1054 0...0..........T
00000010: 74f8 8093 6f98 d03b 4fe5 0282 7531 b530 t...o..;O...u1.0
00000020: 0d06 092a 8648 86f7 0d01 010b 0500 3081 ...*.H........0.
00000030: 9631 0b30 0906 0355 0406 1302 4742 311b .1.0...U....GB1.
00000040: 3019 0603 5504 0813 1247 7265 6174 6572 0...U....Greater
00000050: 204d 616e 6368 6573 7465 7231 1030 0e06 Manchester1.0..
00000060: 0355 0407 1307 5361 6c66 6f72 6431 1a30 .U....Salford1.0
00000070: 1806 0355 040a 1311 434f 4d4f 444f 2043 ...U....COMODO C
00000080: 4120 4c69 6d69 7465 6431 3c30 3a06 0355 A Limited1<0:..U
00000090: 0403 1333 434f 4d4f 444f 2052 5341 204f ...3COMODO RSA O
000000a0: 7267 616e 697a 6174 696f 6e20 5661 6c69 rganization Vali
000000b0: 6461 7469 6f6e 2053 6563 7572 6520 5365 dation Secure Se
000000c0: 7276 6572 2043 4130 1e17 0d32 3230 3830 rver CA0...22080
000000d0: 3530 3030 3030 305a 170d 3233 3038 3237 5000000Z..230827
000000e0: 3233 3539 3539 5a30 6631 0b30 0906 0355 235959Z0f1.0...U
000000f0: 0406 1302 4742 3113 3011 0603 5504 0813 ....GB1.0...U...
00000100: 0a4d 6964 6c6f 7468 6961 6e31 1230 1006 .Midlothian1.0..
00000110: 0355 0407 1309 4564 696e 6275 7267 6831 .U....Edinburgh1
00000120: 1a30 1806 0355 040a 1311 4e61 7477 6573 .0...U....Natwes
00000130: 7420 4772 6f75 7020 506c 6331 1230 1006 t Group Plc1.0..
00000140: 0355 0403 1309 7262 732e 636f 2e75 6b30 .U....rbs.co.uk0
00000150: 8201 2230 0d06 092a 8648 86f7 0d01 0101 .."0...*.H......
00000160: 0500 0382 010f 0030 8201 0a02 8201 0100 .......0........
00000170: bb26 0bf8 8a49 3311 e08b 665f eacb 7fa3 .&...I3...f_....
00000180: afb9 aea9 345c 1c4f e4a3 a3d4 ddd1 9f2d ....4\.O.......-
00000190: 947a 5ae9 9f73 2171 77e4 9fb3 7871 1659 .zZ..s!qw...xq.Y
000001a0: e2eb 3766 6620 51c7 a4d9 da81 7c82 75ca ..7ff Q.....|.u.
000001b0: 0688 4acf 4e43 d97c fac0 9287 ae98 7692 ..J.NC.|......v.
000001c0: 78ad 2400 50ba 72bc 1781 1291 1ae4 cfdc x.$.P.r.........
000001d0: 6e5b 3014 77b3 53fa 73b6 1f95 288a 69f9 n[0.w.S.s...(.i.
000001e0: 2fd7 cc1c 2ae6 8cc6 9953 c60c ef49 e214 /...*....S...I..
000001f0: 8c21 0f46 1457 e1c8 e50a bab5 6c86 1baf .!.F.W......l...
00000200: 1720 4107 0fc0 a0e9 25aa e14d e9e6 dc0f . A.....%..M....
00000210: 3094 806b 92fe 7a3e 9372 dfeb 68f0 f5cc 0..k..z>.r..h...
00000220: 29fd dd8c 313e e7a9 a7d2 17f9 34c1 b563 )...1>......4..c
00000230: a523 5e7a 2f42 7166 a77b d458 737d 133e .#^z/Bqf.{.Xs}.>
00000240: 08c7 c696 ff37 1df8 39df 1f75 59ca 1adc .....7..9..uY...
00000250: f10c cecd a1b6 3633 84a3 d1ea 8086 13a2 ......63........
00000260: 9050 f172 dd83 203a edd0 b401 08bf 6caf .P.r.. :......l.
00000270: 0203 0100 01a3 8204 4730 8204 4330 1f06 ........G0..C0..
00000280: 0355 1d23 0418 3016 8014 9af3 2bda cfad .U.#..0.....+...
00000290: 4fb6 2fbb 2a48 482a 12b7 1b42 c124 301d O./.*HH*...B.$0.
000002a0: 0603 551d 0e04 1604 14ed d1a6 9312 1bbe ..U.............
000002b0: 55d7 83d0 6053 1330 f4c5 bb1a 0430 0e06 U...`S.0.....0..
000002c0: 0355 1d0f 0101 ff04 0403 0205 a030 0c06 .U...........0..
000002d0: 0355 1d13 0101 ff04 0230 0030 1d06 0355 .U.......0.0...U
000002e0: 1d25 0416 3014 0608 2b06 0105 0507 0301 .%..0...+.......
000002f0: 0608 2b06 0105 0507 0302 304a 0603 551d ..+.......0J..U.
00000300: 2004 4330 4130 3506 0c2b 0601 0401 b231 .C0A05..+.....1
00000310: 0102 0103 0430 2530 2306 082b 0601 0505 .....0%0#..+....
00000320: 0702 0116 1768 7474 7073 3a2f 2f73 6563 .....https://sec
00000330: 7469 676f 2e63 6f6d 2f43 5053 3008 0606 tigo.com/CPS0...
00000340: 6781 0c01 0202 305a 0603 551d 1f04 5330 g.....0Z..U...S0
00000350: 5130 4fa0 4da0 4b86 4968 7474 703a 2f2f Q0O.M.K.Ihttp://
00000360: 6372 6c2e 636f 6d6f 646f 6361 2e63 6f6d crl.comodoca.com
00000370: 2f43 4f4d 4f44 4f52 5341 4f72 6761 6e69 /COMODORSAOrgani
00000380: 7a61 7469 6f6e 5661 6c69 6461 7469 6f6e zationValidation
00000390: 5365 6375 7265 5365 7276 6572 4341 2e63 SecureServerCA.c
000003a0: 726c 3081 8b06 082b 0601 0505 0701 0104 rl0....+........
000003b0: 7f30 7d30 5506 082b 0601 0505 0730 0286 .0}0U..+.....0..
000003c0: 4968 7474 703a 2f2f 6372 742e 636f 6d6f Ihttp://crt.como
000003d0: 646f 6361 2e63 6f6d 2f43 4f4d 4f44 4f52 doca.com/COMODOR
000003e0: 5341 4f72 6761 6e69 7a61 7469 6f6e 5661 SAOrganizationVa
000003f0: 6c69 6461 7469 6f6e 5365 6375 7265 5365 lidationSecureSe
00000400: 7276 6572 4341 2e63 7274 3024 0608 2b06 rverCA.crt0$..+.
00000410: 0105 0507 3001 8618 6874 7470 3a2f 2f6f ....0...http://o
00000420: 6373 702e 636f 6d6f 646f 6361 2e63 6f6d csp.comodoca.com
00000430: 3082 017e 060a 2b06 0104 01d6 7902 0402 0..~..+.....y...
00000440: 0482 016e 0482 016a 0168 0076 00ad f7be ...n...j.h.v....
00000450: fa7c ff10 c88b 9d3d 9c1e 3e18 6ab4 6729 .|.....=..>.j.g)
00000460: 5dcf b10c 24ca 8586 34eb dc82 8a00 0001 ]...$...4.......
00000470: 826f 3de3 0000 0004 0300 4730 4502 2000 .o=.......G0E. .
00000480: 80f9 ce9f bd6b 84eb f0fb caa6 5196 ed19 .....k......Q...
00000490: df04 93a2 3f77 6539 463b 74c2 08da de02 ....?we9F;t.....
000004a0: 2100 f0ee 8618 2037 9d75 bcce ae3c b834 !..... 7.u...<.4
000004b0: cfbe ac30 fde7 7e47 ddf8 2722 85cc 8c66 ...0..~G..'"...f
000004c0: aea0 0076 007a 328c 54d8 b72d b620 ea38 ...v.z2.T..-. .8
000004d0: e052 1ee9 8416 7032 1385 4d3b d22b c13a .R....p2..M;.+.:
000004e0: 57a3 52eb 5200 0001 826f 3de3 4c00 0004 W.R.R....o=.L...
000004f0: 0300 4730 4502 2065 ea84 6a26 ef47 271a ..G0E. e..j&.G'.
00000500: 3209 2965 5622 6b96 30f0 e7c4 d6ac e931 2.)eV"k.0......1
00000510: 80cc 8d6f c4b4 9602 2100 ea70 b1e7 711a ...o....!..p..q.
00000520: 020a 9368 a02d 4f9b cbca e5dc c464 0ba4 ...h.-O......d..
00000530: 975b 62bc 6480 6b92 7dad 0076 00e8 3ed0 .[b.d.k.}..v..>.
00000540: da3e f506 3532 e757 28bc 896b c903 d3cb .>..52.W(..k....
00000550: d111 6bec eb69 e177 7d6d 06bd 6e00 0001 ..k..i.w}m..n...
00000560: 826f 3de2 e000 0004 0300 4730 4502 205d .o=.......G0E. ]
00000570: 0378 c9ec 2b18 63b8 36f6 d4be 94c3 24bf .x..+.c.6.....$.
00000580: adc9 6923 3cec a0ab 74db eee0 23e3 7102 ..i#<...t...#.q.
00000590: 2100 f0f6 f18b 2b79 1e59 0b13 548e 6cdb !.....+y.Y..T.l.
000005a0: 3611 b792 8f90 3281 fad9 07e9 cd37 c289 6.....2......7..
000005b0: 2a21 3082 010a 0603 551d 1104 8201 0130 *!0.....U......0
000005c0: 81fe 8209 7262 732e 636f 2e75 6b82 1768 ....rbs.co.uk..h
000005d0: 6f6c 7473 6d69 6c69 7461 7279 6261 6e6b oltsmilitarybank
000005e0: 2e63 6f2e 756b 821a 686f 6c74 736d 696c .co.uk..holtsmil
000005f0: 6974 6172 7962 616e 6b69 6e67 2e63 6f2e itarybanking.co.
00000600: 756b 8218 686f 6c74 736d 696c 6974 6172 uk..holtsmilitar
00000610: 7962 616e 6b69 6e67 2e63 6f6d 820a 6d69 ybanking.com..mi
00000620: 6e74 2e63 6f2e 756b 820b 7262 7369 662e nt.co.uk..rbsif.
00000630: 636f 2e75 6b82 1b77 7777 2e68 6f6c 7473 co.uk..www.holts
00000640: 6d69 6c69 7461 7279 6261 6e6b 2e63 6f2e militarybank.co.
00000650: 756b 821e 7777 772e 686f 6c74 736d 696c uk..www.holtsmil
00000660: 6974 6172 7962 616e 6b69 6e67 2e63 6f2e itarybanking.co.
00000670: 756b 821c 7777 772e 686f 6c74 736d 696c uk..www.holtsmil
00000680: 6974 6172 7962 616e 6b69 6e67 2e63 6f6d itarybanking.com
00000690: 820e 7777 772e 6d69 6e74 2e63 6f2e 756b ..www.mint.co.uk
000006a0: 820d 7777 772e 7262 732e 636f 2e75 6b82 ..www.rbs.co.uk.
000006b0: 0f77 7777 2e72 6273 6966 2e63 6f2e 756b .www.rbsif.co.uk
000006c0: 300d 0609 2a86 4886 f70d 0101 0b05 0003 0...*.H.........
000006d0: 8201 0100 9bdb fa06 9177 ce66 eb35 1020 .........w.f.5.
000006e0: 4d42 58b8 1273 56fb 3256 8528 eb28 7654 MBX..sV.2V.(.(vT
000006f0: 5a7f 1dcf 7b24 c128 897a 72da 0aa7 5cc7 Z...{$.(.zr...\.
00000700: 631e 8e4e 7948 832b c999 feae bc1a fe39 c..NyH.+.......9
00000710: 6c56 b634 35b2 4e19 7205 71ca 2339 8f8e lV.45.N.r.q.#9..
00000720: 13dc 5dfe 100b 4cd4 ace5 4518 3cc8 ded6 ..]...L...E.<...
00000730: 1a64 9492 098a 2bfb 3b49 5feb 9a89 41a3 .d....+.;I_...A.
00000740: 735b bbc3 265f 18dd 0242 d8f3 4fa5 6da5 s[..&_...B..O.m.
00000750: 8a69 9a5a a15d 5bac 6e23 5bf3 ce99 569c .i.Z.][.n#[...V.
00000760: a278 5843 263f 50d0 620d 056a 75bd 3f46 .xXC&?P.b..ju.?F
00000770: 134e 7649 385d bbcd 87ff dafe 1cb5 8af7 .NvI8]..........
00000780: 7a71 ac6d 5595 50c4 4fcd 0fce d604 6992 zq.mU.P.O.....i.
00000790: e3a4 811d aea1 9d74 339f 3d8f 67fd 6987 .......t3.=.g.i.
000007a0: 158c de90 f399 0fcc 8671 7e38 75e4 7048 .........q~8u.pH
000007b0: c5cb 4f76 2523 46d5 afc5 767f 8b7c 40b5 ..Ov%#F...v..|@.
000007c0: 0827 c881 3fad 3319 ac14 5fe2 42d4 0402 .'..?.3..._.B...
000007d0: 4165 e45a Ae.ZThe typical extension we use for the DER format is “.CER”. Typically, this will be in a binary format, and thus non-viewable in a text format. To actually interpret it, we can convert it into a hex format (such as with the xxd utility).
When we view the certificate from a Web site in our browser, we can see the various information fields:
In this case, we see the high-level details of the certificate, along with the details of the intermediary signing CA (Certificate Authority) and the root CA. These define the chain of trust, and should lead from the certificate up to the root CA.
Getting some certificates
So let’s grab some certificates, and examine them. For this, we can use OpenSSL to create a connection with a site and then download a PEM file. After this we can then convert this PEM file into a CER file:
openssl s_client -connect google.com:443 -showcerts < /dev/null | openssl x509 -outform pem > google.pem
openssl x509 -inform PEM -in google.pem -outform DER -out google.cer
openssl s_client -connect microsoft.com:443 -showcerts < /dev/null | openssl x509 -outform pem > microsoft.pem
openssl x509 -inform PEM -in microsoft.pem -outform DER -out microsoft.cer
openssl s_client -connect intel.com:443 -showcerts < /dev/null | openssl x509 -outform pem > intel.pem
openssl x509 -inform PEM -in intel.pem -outform DER -out intel.cer
openssl s_client -connect microsoft.com:443 -showcerts < /dev/null | openssl x509 -outform pem > microsoft.pem
openssl x509 -inform PEM -in microsoft.pem -outform DER -out microsoft.cer
openssl s_client -connect oracle.com:443 -showcerts < /dev/null | openssl x509 -outform pem > oracle.pem
openssl x509 -inform PEM -in oracle.pem -outform DER -out oracle.cer
openssl s_client -connect bbc.co.uk:443 -showcerts < /dev/null | openssl x509 -outform pem > bbc.pem
openssl x509 -inform PEM -in bbc.pem -outform DER -out bbc.cer
openssl s_client -connect bt.com:443 -showcerts < /dev/null | openssl x509 -outform pem > bt.pem
openssl x509 -inform PEM -in bt.pem -outform DER -out bt.cer
openssl s_client -connect napier.ac.uk:443 -showcerts < /dev/null | openssl x509 -outform pem > napier.pem
openssl x509 -inform PEM -in napier.pem -outform DER -out napier.cer
openssl s_client -connect facebook.com:443 -showcerts < /dev/null | openssl x509 -outform pem > facebook.pem
openssl x509 -inform PEM -in facebook.pem -outform DER -out facebook.cer
openssl s_client -connect instagram.com:443 -showcerts < /dev/null | openssl x509 -outform pem > instagram.pem
openssl x509 -inform PEM -in instagram.pem -outform DER -out instagram.cer
openssl s_client -connect whatsapp.com:443 -showcerts < /dev/null | openssl x509 -outform pem > whatsapp.pem
openssl x509 -inform PEM -in whatsapp.pem -outform DER -out whatsapp.cer
openssl s_client -connect rbs.co.uk:443 -showcerts < /dev/null | openssl x509 -outform pem > rbs.pem
openssl x509 -inform PEM -in rbs.pem -outform DER -out rbs.cer
openssl s_client -connect walmart.com:443 -showcerts < /dev/null | openssl x509 -outform pem > walmart.pem
openssl x509 -inform PEM -in walmart.pem -outform DER -out walmart.cer
openssl s_client -connect amazon.com:443 -showcerts < /dev/null | openssl x509 -outform pem > amazon.pem
openssl x509 -inform PEM -in amazon.pem -outform DER -out amazon.cerThe commands we can then use to view the details of the certificate in the form of:
openssl x509 -in rbs.pem -noout -issuer
openssl x509 -in rbs.pem -noout -dates
openssl x509 -in rbs.pem -noout -fingerprint
openssl x509 -in rbs.pem -noout -serial
openssl x509 -in rbs.pem -noout -pubkey
openssl x509 -in rbs.pem-noout -ext subjectAltName
openssl x509 -in rbs.pem -outform der | xxd -l 100Now, if we run for the RBS public key we get:
== Subject (openssl x509 -in rbs.pem -noout -subject)
subject=C = GB, ST = Midlothian, L = Edinburgh, O = Natwest Group Plc, CN = rbs.co.uk
== Issuer (openssl x509 -in rbs.pem -noout -issuer)
issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA
== Dates (openssl x509 -in rbs.pem -noout -dates)
notBefore=Aug 5 00:00:00 2022 GMT
notAfter=Aug 27 23:59:59 2023 GMT
== Fingerprint (openssl x509 -in rbs.pem -noout -fingerprint)
SHA1 Fingerprint=FE:25:74:35:0D:37:01:45:5A:82:54:10:13:36:35:7A:BF:7D:B0:52
== Serial (openssl x509 -in rbs.pem -noout -serial)
serial=5474F880936F98D03B4FE502827531B5
== Public Key (openssl x509 -in rbs.pem -noout -pubkey)
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuyYL+IpJMxHgi2Zf6st/
o6+5rqk0XBxP5KOj1N3Rny2Uelrpn3MhcXfkn7N4cRZZ4us3ZmYgUcek2dqBfIJ1
ygaISs9OQ9l8+sCSh66YdpJ4rSQAULpyvBeBEpEa5M/cblswFHezU/pzth+VKIpp
+S/XzBwq5ozGmVPGDO9J4hSMIQ9GFFfhyOUKurVshhuvFyBBBw/AoOklquFN6ebc
DzCUgGuS/no+k3Lf62jw9cwp/d2MMT7nqafSF/k0wbVjpSNeei9CcWane9RYc30T
PgjHxpb/Nx34Od8fdVnKGtzxDM7NobY2M4Sj0eqAhhOikFDxct2DIDrt0LQBCL9s
rwIDAQAB
-----END PUBLIC KEY-----
== DER only showing first 100 octets (openssl x509 -in rbs.pem -noout -outform DER)
00000000: 3082 07d0 3082 06b8 a003 0201 0202 1054 0...0..........T
00000010: 74f8 8093 6f98 d03b 4fe5 0282 7531 b530 t...o..;O...u1.0
00000020: 0d06 092a 8648 86f7 0d01 010b 0500 3081 ...*.H........0.
00000030: 9631 0b30 0906 0355 0406 1302 4742 311b .1.0...U....GB1.
00000040: 3019 0603 5504 0813 1247 7265 6174 6572 0...U....Greater
00000050: 204d 616e 6368 6573 7465 7231 1030 0e06 Manchester1.0..
00000060: 0355 0407 .U..
== Subject Alt Name (openssl x509 -in rbs.pem -noout -ext subjectAltName)
X509v3 Subject Alternative Name:
DNS:rbs.co.uk, DNS:holtsmilitarybank.co.uk, DNS:holtsmilitarybanking.co.uk, DNS:holtsmilitarybanking.com, DNS:mint.co.uk, DNS:rbsif.co.uk, DNS:www.holtsmilitarybank.co.uk, DNS:www.holtsmilitarybanking.co.uk, DNS:www.holtsmilitarybanking.com, DNS:www.mint.co.uk, DNS:www.rbs.co.uk, DNS:www.rbsif.co.uk
== Purpose (openssl x509 -in rbs.pem -noout -purplose)
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : NoWell, that was just a starting point, so if you want to learn more, try here:
https://asecuritysite.com/digitalcert
and learn more about OpenSSL here:
https://asecuritysite.com/openssl