On Wed, Jun 10, 2015, at 03:19 PM, A. Schulze wrote: > > openssl x509 -pubkey -noout -in /etc/ssh/mail/commercial.crt | > > openssl pkey -pubin -outform DER | openssl dgst -sha1 -c > > take the output of "openssl x509 -sha1 -fingerprint -noout -in cert.pem"
To what end? That will extract the key in PEM format. As stated at http://www.postfix.org/TLS_README.html To extract the public key fingerprint from an X.509 certificate, you need to extract the public key from the certificate and compute the appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pubkey" option of the "x509" command extracts the public key always in "PEM" format. We pipe the result to another OpenSSL command that converts the key to DER and then to the "dgst" command to compute the fingerprint. # OpenSSL 1.0 with all certificates and SHA-1 fingerprints. $ openssl x509 -in cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha1 -c
