Tutorial: Examine a certificate

Script Inspection

Inspect key and certificate files using the FairCom keypairinfo.py script.

This script shows information about keys and certificates. Because it is common for multiple keys and certificates to be included inside a single file, this script attempts to find every block of cryptographic data, parse that block, and display easily read information.

Navigate to the <faircomInstallationDirectory>/drivers/certificates folder.

There are two ways to run this script:

Run the program with a file name parameter:
python keypairinfo.py myfile.pem
The program inspects the file and displays the output.
Run the program without any parameters:
python keypairinfo.py
The program prompts you for the file name, then inspects the file and displays the output.

The filename and file extension have no significance to the script. Files are treated the same, regardless of the name.

The following is an example of the display output from running the program without a file name:

python keypairinfo.py

Welcome to FairCom's Certificate Information Program
Enter the location of the file to inspect (or 'x' to exit): C:\FairCom\fccert.pem
If the file contains a password-protected RSA key, enter that password:

Key #: 1
  Modulus hash: 969db60634c9a482bd3e9095f210cd5a5df76c530f9b1ed1e5ef2a85
  Private key bits: 4096

Certificate #: 2
  Modulus hash: 969db60634c9a482bd3e9095f210cd5a5df76c530f9b1ed1e5ef2a85
  Public key bits: 4096
  Subject:
    C: US
    CN: adamh-dt-2019
    L: Sandy
    O: FairCom
    ST: Utah
  Issuer:
    C: US
    CN: FairCom Private Certificate Authority
    L: Sandy
    O: FairCom
    ST: Utah
  Serial Number: 20231004152528002138000000001
  Valid From (UTC): 2023-09-05 16:11:47
  Valid Until (UTC): 2024-10-05 02:11:47
  Public key algorithm: sha256
  TLS Version.v3
  Extension information:
    Extension name: Subject Alternative Name
      Critical: False
      DNSName: MyPC
      DNSName: mypc.example.com
      IPAddress: 10.250.250.42
      IPAddress: 127.0.0.1
      DNSName: localhost
    Extension name: Basic Constraints
      Critical: True
      CA: False
    Extension name: Key Usage
      Critical: True
      Digital signature: True
      Key encipherment: True
    Extension name: Extended Key Usage
      Critical: True
      Extended key uses:
        Server auth
Press ENTER to exit

Command-line inspection using OpenSSL

Navigate to the <faircomInstallationDirectory>/drivers/certificates folder.

Use the following command to examine a CA certificate.

openssl x509 -noout -text -in ca.crt

Notable lines:

When running the openSSL command, pages of information are displayed. Some lines are more important than others.

Version: 3 (0x2)
This line shows that the certificate is TLS version 1.3
Subject: C=US, ST=Missouri, L=Columbia, O=Example, OU=IT, CN=Example Private Certificate Authority
This line shows the information you entered at the prompts.
Public Key Algorithm: rsaEncryption
This line shows that the key was created using the RSA algorithm.
Public-Key: (4096 bit)
This line shows that the key was created using 4096 bits of entropy.

X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign

These lines show that the key pair was created to be a CA key pair and that the roles it is meant for are signing certificates and signing Certificate Revocation Lists (CRLs).