15

I have a certificate mycert.pem . I got the public key of the certificate by command:

openssl x509 -pubkey -noout -in mycert.pem  > pubkey.pem

How can I get the SHA256 hash of the public key?

Leem
  • 17,220
  • 36
  • 109
  • 159
  • 2
    See https://stackoverflow.com/questions/9607295/calculate-rsa-key-fingerprint for obtaining the SHA256 of a public key if it's not in a `.pem` file. – aleb Apr 01 '20 at 11:47

3 Answers3

18

You can use ssh-keygen. Convert file format first

ssh-keygen -i -m PKCS8 -f pubkey.pem > NEWpubkey.pem

Next get the fingerprint

ssh-keygen -lf NEWpubkey.pem

Get type inference

2048 SHA256:hYAU9plz1WZ+H+eZCushetKpeT5RXEnR8e5xsbFWRiU no comment (RSA)

uanr81
  • 309
  • 2
  • 10
  • Hm. Interesting, I don't get the same results via `ssh-keygen` as via `openssl` (or the very clever approach shown by @just-be-happy) — I wonder why that is. – Gwyneth Llewelyn Jun 03 '23 at 16:10
8

The openssl -pubkey outputs the key in PEM format (even if you use -outform DER).

Assuming you have a RSA public key, you have to convert the key in DER format (binary) and then get its hash value:

 openssl rsa -in pubkey.pem -pubin -outform der | openssl dgst -sha256
oliv
  • 12,690
  • 25
  • 45
  • @Leem Are you sure you executed the command in the same folder where the file `pubkey.pem` was created? – oliv Mar 19 '18 at 14:45
  • Yes, I am sure. It also output`routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/pem/pem_lib.c:704` – Leem Mar 19 '18 at 14:51
  • Hmm... actually, the problem is the certificate and public key I generated has 0 size. Something wrong there.... – Leem Mar 19 '18 at 14:53
  • @Leem So this means that the command `openssl x509 -pubkey -noout -in mycert.pem` didn' t work. Please fix your certificate and give feedback on the command I posted, – oliv Mar 19 '18 at 15:20
  • I am fixing it, will get back to you here. Thanks! – Leem Mar 19 '18 at 15:30
1

You can try directly decode public key with base64, then pipe to shasum -a256or openssl sha256 to get the hash you want:

sed '1d;$d' ./pubkey.pem | base64 -D | openssl sha256 # or shasum -a256

If you use command question mentioned to output pubkey.pem like:

-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----

You need strip first and last line in advance like sed '1d;$d'.

Then we use base64 -d or -D to decode (default to stdout) and pipe to openssl sha256.

All in one command:

sed '1d;$d' <(openssl x509 -pubkey -noout -in mycert.pem) | base64 -D | openssl sha256
Just be happy
  • 364
  • 3
  • 5
  • Heh. Magic! :-) In my case, I didn't have a _full certificate_ — but just the public key! — and `openssl` complained and grumbled but spewed something out. Not by coincidence, it was exactly the same SHA256 as produced with your (adapted) command: `cat mypubkey.pem | sed '1d;$d' | base64 -d | shasum -a256`. (or `sha256sum -b` — same thing). "Hey Ma! No `openssl` command!" – Gwyneth Llewelyn Jun 03 '23 at 16:15