12

I have a running Android application that implements Certificate Pinning with a SHA256 Pin. I use the https://www.ssllabs.com/ssltest tool to obtain that pin.

The current server certificate is about to expire, and a new certificate will be applied to the server. I need to generate the SHA256 Pin for the new certificate before it is applied to the server so that I can add it to the application and introduce it in an update.

I have the new certificate .crt file. Any idea how to generate the SHA256 key from the file? I have no access to the server, just the .crt file.

As per OkHttp's CertificatePinner documentation:

SHA-256 or SHA-1 hashes. Each pin is a hash of a certificate's Subject Public Key Info, base64-encoded and prefixed with either sha256/ or sha1/.

Federico Navarrete
  • 3,069
  • 5
  • 41
  • 76
MohanadMohie
  • 1,033
  • 1
  • 10
  • 17
  • So why not do what the documentation you quoted says to do? You should also consider pinning the CA certificate so you don't have to keep updating your app. – President James K. Polk Jul 04 '18 at 13:39
  • 1
    @JamesKPolk I already tried doing that on the old certificate but I got a different key than the one I have. I'm foggy on how to do these steps and which String I should do the hashing on but I have attempted to do it on many values. The OpenSSL code worked for me though. Regarding the CA Certificate, does that mean the intermediate certificate? If so, I don't think that's possible in our case as we don't have a dedicated intermediate certificate. – MohanadMohie Jul 18 '18 at 10:44
  • [This](https://stackoverflow.com/questions/36163093/how-do-we-generate-a-base64-encoded-sha256-hash-of-subjectpublickeyinfo-of-an-x#answer-36186060) is what you're looking for. Make sure you have the latest version of `openssl` – madking Jul 04 '18 at 13:40

1 Answers1

8

Try this command

openssl x509 -in my-certificate.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Then use

"sha256/"  + ${ouput hash from the command line above}.

More commands you will find at the Public Key Pinning page at the Mozilla Developer Network

obolsh
  • 129
  • 1
  • 4