Tutorial: Examine a certificate
Script Inspection
Inspect key and certificate files using the FairCom keypairinfo.py
script.
This script shows information about keys and certificates. Because it is common for multiple keys and certificates to be included inside a single file, this script attempts to find every block of cryptographic data, parse that block, and display easily read information.
Navigate to the <faircomInstallationDirectory>/drivers/certificates
folder.
There are two ways to run this script:
Run the program with a file name parameter:
python keypairinfo.py myfile.pem
The program inspects the file and displays the output.
Run the program without any parameters:
python keypairinfo.py
The program prompts you for the file name, then inspects the file and displays the output.
The filename and file extension have no significance to the script. Files are treated the same, regardless of the name.
The following is an example of the display output from running the program without a file name:
python keypairinfo.py Welcome to FairCom's Certificate Information Program Enter the location of the file to inspect (or 'x' to exit): C:\FairCom\fccert.pem If the file contains a password-protected RSA key, enter that password: Key #: 1 Modulus hash: 969db60634c9a482bd3e9095f210cd5a5df76c530f9b1ed1e5ef2a85 Private key bits: 4096 Certificate #: 2 Modulus hash: 969db60634c9a482bd3e9095f210cd5a5df76c530f9b1ed1e5ef2a85 Public key bits: 4096 Subject: C: US CN: adamh-dt-2019 L: Sandy O: FairCom ST: Utah Issuer: C: US CN: FairCom Private Certificate Authority L: Sandy O: FairCom ST: Utah Serial Number: 20231004152528002138000000001 Valid From (UTC): 2023-09-05 16:11:47 Valid Until (UTC): 2024-10-05 02:11:47 Public key algorithm: sha256 TLS Version.v3 Extension information: Extension name: Subject Alternative Name Critical: False DNSName: MyPC DNSName: mypc.example.com IPAddress: 10.250.250.42 IPAddress: 127.0.0.1 DNSName: localhost Extension name: Basic Constraints Critical: True CA: False Extension name: Key Usage Critical: True Digital signature: True Key encipherment: True Extension name: Extended Key Usage Critical: True Extended key uses: Server auth Press ENTER to exit
Command-line inspection using OpenSSL
Navigate to the <faircomInstallationDirectory>/drivers/certificates
folder.
Use the following command to examine a CA certificate.
openssl x509 -noout -text -in ca.crt
When running the openSSL
command, pages of information are displayed. Some lines are more important than others.
Version: 3 (0x2)
This line shows that the certificate is TLS version 1.3
Subject: C=US, ST=Missouri, L=Columbia, O=Example, OU=IT, CN=Example Private Certificate Authority
This line shows the information you entered at the prompts.
Public Key Algorithm: rsaEncryption
This line shows that the key was created using the RSA algorithm.
Public-Key: (4096 bit)
This line shows that the key was created using 4096 bits of entropy.
X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Certificate Sign, CRL Sign
These lines show that the key pair was created to be a CA key pair and that the roles it is meant for are signing certificates and signing Certificate Revocation Lists (CRLs).