인증서의 fingerprint(sha1, sha256) 확인

keystore 파일이 있는 웹 서버에서면 keytool 명령어를 통해서 https 인증서 내용을 확인할 수 있지만, 서버가 아니 다른 클라이언트 환경에서 서버의 인증서 내용 중 지문값(fingerprint)을 확인하는 방법이다.

1. 인증서를 가져온다

- openssl tool 이 설치되어 있어야 함.

# echo -n | openssl s_client -connect 1.2.3.4:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./server.pem

# more server.pem

-----BEGIN CERTIFICATE-----

MIIDdzCCAl+gAwIBAgIEU3rITzANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJr

cjEOMAwGA1UECBMFU2VvdWwxDjAMBgNVBAcTBVNlb3VsMRQwEgYDVQQKEwtNaXJh

Z2V3b3JrczETMBEGA1UECxMKU2VydmVyVGVhbTESMBAGA1UEAxMJRGV2ZWxvcGVy

MB4XDTE0MDgyMTIxMTM1NloXDTE0MTExOTIxMTM1NlowbDELMAkGA1UEBhMCa3Ix

DjAMBgNVBAgTBVNlb3VsMQ4wDAYDVQQHEwVTZW91bDEUMBIGA1UEChMLTWlyYWdl

....생략....

Psfk/U3dZp3wRsmz++Xscw120udtpotNfJ28Srewyp424b+k5BjhE3QSUBTTs6bx

XXBMRaXKgzEDAg15ZhilMUh2lJk8CKM2TWVjXnBmJ6yGgKYaN7JgIrh2vKatRapg

HGvd1nLItBKxV9cM9L4u7bj/0s42p4X6Zsx6eo3hPO3BDufWIhVOTyvoFSX/c3qB

zOEWIpuDod2QSTdGw1vbiIEs00Fk7mwkuNeLmlDawfMvZ9lwGB5wsC7ZFvDeARAS

SQ/BG56x37hZCj1miXM68p7nWSjjHLXoA1FF

-----END CERTIFICATE-----

2. fingerprint 확인

# openssl x509 -noout -in server.pem -fingerprint -sha1

SHA1 Fingerprint=89:18:10:06:76:55:30:8F:03:70:B4:3F:13:5E:56:DA:CA:08:2A:57

# openssl x509 -noout -in server.pem -fingerprint -sha256

SHA256 Fingerprint=A8:95:04:C6:76:31:33:76:FC:C8:38:FF:81:CE:37:6C:64:42:10:A8:B5:F5:0E:DD:FE:BB:02:84:E8:3E:75:A8

참고 :

http://askubuntu.com/questions/156620/how-to-verify-the-ssl-fingerprint-by-command-line-wget-curl

https://support.comodo.com/index.php?/Knowledgebase/Article/View/706/0/how-to-find-the-thumbprintserial-number-of-a-certificate

http://ko.wikipedia.org/wiki/X.509