aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2015-09-14 03:16:04 -0400
committerJay Satiro <raysatiro@yahoo.com>2015-09-14 03:16:04 -0400
commitb550a1c067c3240f820a33220571071d3efcbf9c (patch)
treeaff689034eae2a7a942d7fcffb1429c3bcd9fcf1
parent202162daeb8420641e28c0f05966932ecd94e468 (diff)
CURLOPT_PINNEDPUBLICKEY.3: Improve pubkey extraction example
- Show how a certificate can be obtained using OpenSSL. Bug: https://github.com/bagder/curl/pull/430 Reported-by: Daniel Hwang
-rw-r--r--docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.314
1 files changed, 14 insertions, 0 deletions
diff --git a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
index e3de9f2a8..14c44daf5 100644
--- a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
+++ b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
@@ -59,10 +59,24 @@ if(curl) {
If you do not have the server's public key file you can extract it from the
server's certificate.
.nf
+# retrieve the server's certificate if you don't already have it
+#
+# be sure to examine the certificate to see if it is what you expected
+#
+# Windows-specific:
+# - Use NUL instead of /dev/null.
+# - OpenSSL may wait for input instead of disconnecting. Hit enter.
+# - If you don't have sed, then just copy the certificate into a file:
+# Lines from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----.
+#
+openssl s_client -servername www.test.com -connect www.test.com:443 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > www.test.com.pem
+
# extract public key in pem format from certificate
openssl x509 -in www.test.com.pem -pubkey -noout > www.test.com.pubkey.pem
+
# convert public key from pem to der
openssl asn1parse -noout -inform pem -in www.test.com.pubkey.pem -out www.test.com.pubkey.der
+
# sha256 hash and base64 encode der to string for use
openssl dgst -sha256 -binary www.test.com.pubkey.der | openssl base64
.fi