From b550a1c067c3240f820a33220571071d3efcbf9c Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Mon, 14 Sep 2015 03:16:04 -0400 Subject: CURLOPT_PINNEDPUBLICKEY.3: Improve pubkey extraction example - Show how a certificate can be obtained using OpenSSL. Bug: https://github.com/bagder/curl/pull/430 Reported-by: Daniel Hwang --- docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 index e3de9f2a8..14c44daf5 100644 --- a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 +++ b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 @@ -59,10 +59,24 @@ if(curl) { If you do not have the server's public key file you can extract it from the server's certificate. .nf +# retrieve the server's certificate if you don't already have it +# +# be sure to examine the certificate to see if it is what you expected +# +# Windows-specific: +# - Use NUL instead of /dev/null. +# - OpenSSL may wait for input instead of disconnecting. Hit enter. +# - If you don't have sed, then just copy the certificate into a file: +# Lines from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----. +# +openssl s_client -servername www.test.com -connect www.test.com:443 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > www.test.com.pem + # extract public key in pem format from certificate openssl x509 -in www.test.com.pem -pubkey -noout > www.test.com.pubkey.pem + # convert public key from pem to der openssl asn1parse -noout -inform pem -in www.test.com.pubkey.pem -out www.test.com.pubkey.der + # sha256 hash and base64 encode der to string for use openssl dgst -sha256 -binary www.test.com.pubkey.der | openssl base64 .fi -- cgit v1.2.3