Login/Register
Certificate Pinning - Generate SHA256 Pinning Key from Certificate .crt file
Asked Answered
androidsslcertificate-pinning
E

1

12

I have a running Android application that implements Certificate Pinning with a SHA256 Pin. I use the https://www.ssllabs.com/ssltest tool to obtain that pin.

The current server certificate is about to expire, and a new certificate will be applied to the server. I need to generate the SHA256 Pin for the new certificate before it is applied to the server so that I can add it to the application and introduce it in an update.

I have the new certificate .crt file. Any idea how to generate the SHA256 key from the file? I have no access to the server, just the .crt file.

As per OkHttp's CertificatePinner documentation:

SHA-256 or SHA-1 hashes. Each pin is a hash of a certificate's Subject Public Key Info, base64-encoded and prefixed with either sha256/ or sha1/.

Ethiopian answered 4/7, 2018 at 12:50 Comment(3)
So why not do what the documentation you quoted says to do? You should also consider pinning the CA certificate so you don't have to keep updating your app.Ararat
This is what you're looking for. Make sure you have the latest version of opensslMousetail
@JamesKPolk I already tried doing that on the old certificate but I got a different key than the one I have. I'm foggy on how to do these steps and which String I should do the hashing on but I have attempted to do it on many values. The OpenSSL code worked for me though. Regarding the CA Certificate, does that mean the intermediate certificate? If so, I don't think that's possible in our case as we don't have a dedicated intermediate certificate.Ethiopian
W
8

Try this command

openssl x509 -in my-certificate.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Then use

"sha256/"  + ${ouput hash from the command line above}.

More commands you will find at the Public Key Pinning page at the Mozilla Developer Network

Watthour answered 3/6, 2021 at 9:7 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.