Skip to content

Instantly share code, notes, and snippets.

@vaibhavpandeyvpz

vaibhavpandeyvpz/certificates.sh

Last active October 6, 2021 06:34
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save vaibhavpandeyvpz/13acb4935b8a48348750249bd6e4f9b0 to your computer and use it in GitHub Desktop.
Save vaibhavpandeyvpz/13acb4935b8a48348750249bd6e4f9b0 to your computer and use it in GitHub Desktop.
Download ZIP
Generate SHA-256 hashes from SSL's chain of trust for a domain.
Raw
certificates.sh
#!/bin/bash
CERTIFICATES=`openssl s_client -servername $1 -host $1 -port 443 -showcerts </dev/null 2>/dev/null | sed -n '/Certificate chain/,/Server certificate/p'`
CURSOR=$CERTIFICATES
while [[ "$CURSOR" =~ '-----BEGIN CERTIFICATE-----' ]]
do
CERTIFICATE="${CURSOR%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
CURSOR=${CURSOR#*-----END CERTIFICATE-----}
echo `echo "$CERTIFICATE" | grep 's:' | sed 's/.*s:\(.*\)/\1/'`
echo "$CERTIFICATE" | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -binary | openssl enc -base64
done
Raw
usage.md

Usage

This script prints out Base64 encoded SHA-256 hashes for leaf & intermediate SSL certificates present in a domain's chain of trust. To use it, save the certificates.sh file in a folder, open Terminal there and run below commands:

chmod +x certificates.sh
./certificates.sh example.org

It will output something like below:

C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, CN = www.example.org
mM294xslEgmvDODAxWWH2DeH4/bNgPBpgZvd7SfciuA=
C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
RQeZkB42znUfsDIIFWIRiYEcKl7nHwNFwWCrnMMJbVc=
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=
@dev1983
Copy link

dev1983 commented Mar 17, 2021

my server returned two values after running the script. Which one should I use and which value it is SHA1 or SHA256?

CN = example.com
Fma2CS/XXXXXXXXXXXXXXXXXXXXXXXXXX=
C = US, O = Let's Encrypt, CN = R3
XXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXX=

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment