5

I have generated my own SSL certificate for a web server on the internet, however this was for three reasons:

  1. Fun
  2. Not wanting to buy an SSL certificate
  3. Trying to get an A rating (excluding trust issues) on SSL Labs SSL Test.

However, now that I've learnt a bit more about SSL (I am by no means an expert, novice at best) I understand that although the server has a certificate this does not circumvent the possibility of man in the middle attacks

I realise I could just create a new self signed certificate, but given that I have access to the server, and based on this question regarding fingerprints, I was wondering if it is possible to verify the certificate and key on the server I have against the fingerprint I receive in my browser?

Basically is it possible for me to view the fingerprint on the server and then compare it to the one received in browser?

CONCLUSION

Based on Maarten Bodewes answer, I ran the following using my .crt file instead of a .pem

# openssl x509 -in mywebsite.com-selfsigned.crt -outform DER -out ~/mywebsite.com-selsigned.crt

calculated my sha1sum

# sha1sum mywebsite.com-selfsigned.crt XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX mywebsite.com-selfsigned.crt

And then checked my Sha1Fingerprint according to the answer provided by John Wu, and the two fingerprints are exactly the same. Perfect!

Gary
  • 165
  • 2
  • 6
  • 7
    Just a tip, [Let's Encrypt](https://letsencrypt.org/) will issue you valid and trusted SSL certs for free if you have a domain. It can even autoconfigure your server so that you get an A rating, though I guess that might take some of the fun out of it :) – tlng05 Jun 21 '16 at 23:03
  • 2
    Could you elaborate on what you meant by `does not completely protect the traffic between my browser and my server from being intercepted`? – Neil Smithline Jun 22 '16 at 01:36
  • 1
    I guess 'completely protected' is the wrong description. I meant encrypted so as to avoid man in the middle attacks. – Gary Jun 22 '16 at 07:40
  • The question title and the question content do not fit together. There is nothing with `openssl verify` in here. – Daniel W. Dec 20 '18 at 14:42
  • 1
    Note if you connect to the server with SSH to get this fingerprint, SSH can also be MitMed unless you check _its_ key fingerprint 'out of band' (using data not obtained by connecting to the server). Thus the fingerprint you get from the server could itself be fake, and lead you to trust a fake SSL/TLS cert. And of course no one besides you can use this method to trust your website at all. – dave_thompson_085 Feb 27 '19 at 06:22

2 Answers2

4

Not sure if you mean manually or automatically.

Manually -- yes -- you can view the thumbprint of the certificate that reaches your browser, e.g. in Chrome you would right-click the part of the address bar to the left of the address, choose Details, View Certificate, and click on the details tab. The thumbprint is at or near the bottom.

Automatically -- yes -- just install the certificate on your desktop computer (double click the cert and follow the instructions) and the browser will trust it from that point forward. If one day you browse to your web site and you get an SSL warning, there was a cert mismatch, and someone is hacking you.

John Wu
  • 9,101
  • 1
  • 28
  • 39
  • Does my browser automatically install the certificate or is this something I need to explicitly do? Otherwise I'm concerned that I may have fallen victim already... – Gary Jun 22 '16 at 07:55
  • @Gary it is something you have to explicitly do. The final thing you could do is actually create a CA certificate and install that in the browser as a new root certificate then sign the server certificate with that one just like a CA would do. – ewanm89 Jun 22 '16 at 16:25
  • Aye, that's my next challenge. I was reading [this](https://jamielinux.com/docs/openssl-certificate-authority/) last night before posting, but it sounds like I need to devote some serious time and resources. Not a five minute job! Thank you though. – Gary Jun 22 '16 at 16:27
2

In case you have enough trust in the other connection to the server then yes, you can calculate the fingerprint over there and compare it to the one in the client. Basically the fingerprint is just a hash over the (binary encoded) certificate.

So for instance:

openssl x509 -in yourcert.pem -outform DER -out yourcert.cer

removes any ASCII armour / PEM encoding (if present), and a simple:

sha1sum yourcert.cer

calculates the fingerprint.

Same for SHA-256 fingerprinting of course, in case your client supports that more secure hash algorithm.

Of course the general idea is that you can now trust the server at the client. The server should already trust its own certificate.

Maarten Bodewes
  • 4,562
  • 15
  • 29
  • Oh yeah, the `file` command recognizes PEM certs, in case you need to script things. – Maarten Bodewes Jun 21 '16 at 23:25
  • Also, I just `sha1sum` my certs and got a mis-match. (See update) Would I need to run `openssl x509 -in yourcert.pem -outform DER -out yourcert.cer` first? – Gary Jun 22 '16 at 08:53
  • Although, I realise now I only have a `.key` and a `.crt` file.... – Gary Jun 22 '16 at 09:03
  • My apologies @Maarten Bodewes, I replaced the `.pem` with my `.crt` file and then ran a `sha1sum` on the certificate, and they match! – Gary Jun 22 '16 at 09:06
  • 2
    Or in one step `openssl x509 -in pemfile -noout -fingerprint [-$digest]` (default is SHA1). – dave_thompson_085 Feb 27 '19 at 06:19