More 0’s For Easier Self-Signed SSL-Certificate Fingerprint ID’ing

So if you’re using a self-signed SSL cert which is for personal use but is public facing (similar to an SSH key upon first connect), you will get a scary warning about it of course! It is recommended to verify the cryptographic hash of that certificate to help ensure that there is no Person-In-The-Middle attack taking place. You can have some fun, at least, with self-signed certs because you can put almost anything in them so I wrote a little script to generate some leading 0’s in the fingerprint field. This helps to not only slow down an attacker trying to trick me (they need to generate something similar which takes a little more time) but it’s also easier to remember a more basic pattern (my laptop is a bit slow so I could only get 5 of them which is about 20-bits worth of nothing — The more 0s, The more secure! :):

$ openssl x509 -in crt.pem -noout -fingerprint
SHA1 Fingerprint=00:00:0F:D1:86:3F:A0:39:10:67:78:0A:13:DD:3B:55:BC:68:A4:3B

==> crt.pem <==
-----BEGIN CERTIFICATE-----
MIIDOjCCAiICAQAwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCWloxCzAJBgNV
BAcMAlpaMQswCQYDVQQKDAJaWjELMAkGA1UECAwCWloxEjAQBgNVBAMMCTEyNy4w
LjAuMTEZMBcGA1UECwwQNERGNTRSOFM1QUo3S0tWVzAeFw0yMTA0MDEwMTE0Mjla
Fw0zMTAzMzAwMTE0MjlaMGMxCzAJBgNVBAYTAlpaMQswCQYDVQQHDAJaWjELMAkG
A1UECgwCWloxCzAJBgNVBAgMAlpaMRIwEAYDVQQDDAkxMjcuMC4wLjExGTAXBgNV
BAsMEDRERjU0UjhTNUFKN0tLVlcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDVjMyDU3S+b2kCQbnp2y6/TaYh85G/+neBL14o8emhwzngYP8BN6X+v9DJ
qa5pl3JNEqO8VHpTfc05jrHMHYOp1/ciP4FrSg7li4+J4qhclaseYCRJSoARDtEW
9P5eO67ISWe714JhQP+jovb45/xy1AkL8rmS/IF/5DTBgaMFu2iZ2AoR4d+48Xpe
f6sgddtYinBmZo4sTWV+4sUAoxRg7MAK6xMcublHR2YwYeV3VQmNRoXZ4kVwbjgY
56G90T6my7BOeyapVgybwwG7m6+yNQp4gw9ldac99qNSrQqeyNccXSRTIgpFwZx/
AMSGIxQy48nu9dZQV4Bz/Chfn6wXAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBADI3
DuPqiqv/z4isTRB7niUKtcNZ3c8f5yidxXqGwRSSvQR3krl9kWlIFdsWQ6jiKotB
THGP6QeChD04XDvXdiPAGq/wdafGZlWGmyKc6+hyDRn4Jf47cazgR2cZgUwenWIs
b+ORfLyESsCQiaHaE6pEg9seA588nz2I20GAtOK60ZpVFawKfv6NZnLLNmfUVusW
aWZjdRLwsUino+XZxrcfadCuFKvOOFVjYSbiqzq63vPILrhtt/dwyy5eocXoWP4B
Qs3iv31U+7yy2gT0BcnHHGwDq3gD8NS62UcnA/2ZOjgtR8P/bCsyldX92QWd1ysL
uQY6WY16bWyAhdGS21A=
-----END CERTIFICATE-----

==> key.pem <==
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA1YzMg1N0vm9pAkG56dsuv02mIfORv/p3gS9eKPHpocM54GD/
ATel/r/QyamuaZdyTRKjvFR6U33NOY6xzB2Dqdf3Ij+Ba0oO5YuPieKoXJWrHmAk
SUqAEQ7RFvT+XjuuyElnu9eCYUD/o6L2+Of8ctQJC/K5kvyBf+Q0wYGjBbtomdgK
EeHfuPF6Xn+rIHXbWIpwZmaOLE1lfuLFAKMUYOzACusTHLm5R0dmMGHld1UJjUaF
2eJFcG44GOehvdE+psuwTnsmqVYMm8MBu5uvsjUKeIMPZXWnPfajUq0KnsjXHF0k
UyIKRcGcfwDEhiMUMuPJ7vXWUFeAc/woX5+sFwIDAQABAoIBAQCqUefzfiaIlHce
M6nCGOyJ67ZrMca3ZV7XDB5/baI3QGvyx6nbILUmH3q4vLq8wOuLCSjKVl5SJO3/
0A2CjK+sUPFswVXJaoHDFrJe+QXrAfw+99M5GVBXSof9VV1jbxqR5+nyaYo1YxAB
RULRdsVkGDU28FqOHxJyHGLvSyPotwEbJErP6gXJeYPUpDmoN/aALAtr/9ENDiy+
hLWXgp3qLfs6LiWpQG3UV4/KCwU7fKzU68xtOdBzpxhSpHDoUD+2j1wfbp54LqlJ
q5TDcoCZaehvev3NQwT2Puh4AlEZG4QTj70UXRcvxClUNENtr+jM1WiCQuph8jqf
jXPPBZ5BAoGBAPJXWPnEtlcHycThj6ZrOIGSFyqPsRwBVxDQdmImNeFQOYmSVzzv
TP27mEg1QFUUzceAMEDhcjdlkU/D8IbGkKvxwH77DKG6J+hwTRmwcQsin9DP02/W
iIR6TrkJThNwAHSLSVF2TUyhovnAVLe3OlH8F3oTlvsjpTBYmtZXXTlRAoGBAOGW
CJb+2kOMq8rFvudAWC+vJQUrgqb4UIbeeNNcY7XtLEuZQfVjYHQsYPq6yqnor2XG
yvnnc5UuUHZ2gCdLXlnDYPd7FteSwZAkRD3+Bl7gp/ReuX2bSLD52BhAXYAptzBA
t76qCqWAVLNMDK6x/yr7GsQC2S+5LXnlDhpN9LTnAoGBAJSQyeItHx+RjbdeFIOQ
fc6pMfyMpKYniCmtsrWO+T8MwIk/Jq4bghaXF89EnhDKtTCVvH859pxRbtj4pQ7q
0iwnA7yUyXSoO+j6V7nk+hg6fME1d0i7u2uD05kKREwUQKMx9Ju1K8RL3y6/IvCR
qnYyVm4nbkq92noeB6ZZXrRRAoGBAM+JHUv1GM5Oa3n4ZQIRM1BjPJa+Ccwc5NC/
eb9R3zXvBfJjA8iC7ajTb0EcefjI5hynP/ObWL2lR0dFC++aqinA0sO7zS70h/lZ
NCMoQaol2r66KsKBCuYuZP0isiKHvk25LJJPk83g+4ucaoqJnSxoqZ4s1KzQGyNq
dIgEsh1/AoGAZZJRrsiP/n+P2BRGfjOaJz8nAYsysH34qVPwE7uZnWC6JoKVRyt6
6gzlmVI11amly4oTtVWZu+fk39znYf/surZJoK4VHhQJWxCbDSjIbdBBYijjjtFG
V9JJNS1Mwjxx8sFPrgZoBlJsiN1WPXRxW3dSftS2D2PU/Ct3w4QzeHw=
-----END RSA PRIVATE KEY-----

import time, string, random, subprocess
from OpenSSL import crypto, SSL
#openssl genrsa -out key.pem 2048
b = subprocess.check_output('cat key.pem', shell=True)
k = crypto.load_privatekey(crypto.FILETYPE_PEM, b)
r = string.digits+string.ascii_uppercase
l = range(16)
t = (10*365*24*60*60)
s = 0
while True:
  c = crypto.X509()
  c.set_pubkey(k)
  d = c.get_subject()
  d.C = "ZZ" ; d.L = "ZZ" ; d.O = "ZZ" ; d.ST = "ZZ"
  d.CN = "127.0.0.1" ; d.OU = ''.join(random.choice(r) for _ in l)
  c.set_issuer(d)
  c.gmtime_adj_notBefore(0)
  c.gmtime_adj_notAfter(t)
  c.set_serial_number(s)
  c.sign(k, 'sha1')
  f = c.digest('sha1')
  if f.startswith('00:00:'):
    print(f)
    print(crypto.dump_certificate(crypto.FILETYPE_PEM, c))
    if f.startswith('00:00:00:'):
      break

2 thoughts on “More 0’s For Easier Self-Signed SSL-Certificate Fingerprint ID’ing”

“So if you’re using a self-signed SSL cert which is for personal us… | Dr. Roy Schestowitz (罗伊) says:

[…] "So if you’re using a self-signed SSL cert which is for personal use but is public facing (similar to an SSH key upon first connect), you will get a scary warning about it of course!" https://fossjon.com/2021/03/31/more-0s-for-easier-self-signed-ssl-certificate-fingerprint-… […]

April 1, 2021 at 14:28 Reply
Links 1/4/2021: Linux Lite 5.4, LineageOS 18.1 | Techrights says:

[…] Jon Chiappetta: More 0’s For Easier Self-Signed SSL-Certificate Fingerprint ID’ing […]

April 1, 2021 at 15:47 Reply

Jon's FOSS Blog

Anything networking, coding, crypto, or security

More 0’s For Easier Self-Signed SSL-Certificate Fingerprint ID’ing

2 thoughts on “More 0’s For Easier Self-Signed SSL-Certificate Fingerprint ID’ing”

Leave a Reply Cancel reply

Share this:

Like this:

Related

2 thoughts on “More 0’s For Easier Self-Signed SSL-Certificate Fingerprint ID’ing”

Leave a Reply Cancel reply