GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → SySS-Research → clone-cert

SySS-Research / clone-cert

Licence: MIT license
Simple shell script to "clone" X.509 certificates

Programming Languages

shell
77523 projects

Labels

securitytoolx509

Projects that are alternatives of or similar to clone-cert

Botan
Cryptography Toolkit
Stars: ✭ 1,798 (+2666.15%)
Mutual labels:  x509
Go Guardian
Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.
Stars: ✭ 204 (+213.85%)
Mutual labels:  x509
rfc3161timestampingserver
This project offers a rfc 3161 compliant timestamping authority/server
Stars: ✭ 30 (-53.85%)
Mutual labels:  x509
Phpasn1
A PHP library to encode and decode arbitrary ASN.1 structures using ITU-T X.690 encoding rules.
Stars: ✭ 136 (+109.23%)
Mutual labels:  x509
Pspki
PowerShell PKI Module
Stars: ✭ 189 (+190.77%)
Mutual labels:  x509
Jsrsasign
The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free cryptography library supporting RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, CAdES JSON Web Signature/Token in pure JavaScript.
Stars: ✭ 2,760 (+4146.15%)
Mutual labels:  x509
Ssl Checker
Python script that collects SSL/TLS information from hosts
Stars: ✭ 94 (+44.62%)
Mutual labels:  x509
kms-issuer
KMS issuer is a cert-manager Certificate Request controller that uses AWS KMS to sign the certificate request.
Stars: ✭ 43 (-33.85%)
Mutual labels:  x509
Zlint
X.509 Certificate Linter focused on Web PKI standards and requirements.
Stars: ✭ 190 (+192.31%)
Mutual labels:  x509
sscg
Simple Signed Certificate Generator
Stars: ✭ 57 (-12.31%)
Mutual labels:  x509
Cli
🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
Stars: ✭ 2,151 (+3209.23%)
Mutual labels:  x509
Dart Basic Utils
A dart package for many helper methods fitting common situations
Stars: ✭ 153 (+135.38%)
Mutual labels:  x509
win-ca
Get Windows System Root certificates
Stars: ✭ 78 (+20%)
Mutual labels:  x509
Aspnetcorecertificates
Certificate Manager in .NET Core for creating and using X509 certificates
Stars: ✭ 135 (+107.69%)
Mutual labels:  x509
pki-manager
IT Freelancers : Manage small PKI for multiple projects (or clients) with 2 bash scripts
Stars: ✭ 36 (-44.62%)
Mutual labels:  x509
Certidude
Easy to use Certificate Authority web service for OpenVPN, StrongSwan and HTTPS
Stars: ✭ 108 (+66.15%)
Mutual labels:  x509
Asn1crypto
Python ASN.1 library with a focus on performance and a pythonic API
Stars: ✭ 220 (+238.46%)
Mutual labels:  x509
certgrinder
Certgrinder is a client/server system for getting LetsEncrypt certificates for your infrastructure. ACME challenges are handled by the Certgrinder server, making it possible to get certificates in highly isolated environments, since only an SSH connection to the Certgrinder server is needed.
Stars: ✭ 24 (-63.08%)
Mutual labels:  x509
certbot-dns-powerdns
PowerDNS DNS Authenticator plugin for Certbot
Stars: ✭ 22 (-66.15%)
Mutual labels:  x509
laravel-x509-auth
Client certificate authentication middleware for Laravel 5
Stars: ✭ 34 (-47.69%)
Mutual labels:  x509
View All Similar Projects ➔

clone-cert.sh

This is a simple shell script that retrieves the X.509 certificate associated with a TLS wrapped TCP port and uses openssl to create a similar certificate by replacing the public key and fixing the signature.

This is particularly useful if you want to demonstrate why self-signed certificates cannot provide any security. Of course, the fingerprint of the cloned certificate will be different... but who checks the fingerprint of a self-signed certificate by hand?

You can also clone certificates that are not self-signed. In that case, the serial number is replaced by a newly generated one (because browsers keep track of the serial numbers they encounter and will notice that something fishy is going on), and the issuer is changed (for the same reason). The fake issuer will have the first capital letter O replace by a zero or a lower case L replaced by a capital i or have the last character replaced by a space and will thus look inconspicuous to a casual observer.

The new fake issueing CA will be generated on the fly unless you provide one.

Certificates containing either an RSA or an EC public key are supported. SNI is also supported. Run ./clone-cert.sh for more information about the usage.

Example

Run the script:

$ ./clone-cert.sh www.example.com:443
/tmp/www.example.com:443_0.key
/tmp/www.example.com:443_0.cert

The new certificate is in /tmp/www.example.com:443_0.cert and the corresponding private key is in /tmp/www.example.com:443_0.key. Their difference is only in the RSA modulus and the signature:

$ diff <(openssl x509 -in /tmp/www.example.com:443_0.cert -noout -text) \
       <(openssl s_client -connect www.example.com:443 < /dev/null 2> /dev/null \
         | openssl x509 -noout -text)
16,33c16,33
<                     00:c3:59:26:a5:ed:1c:2b:75:3a:0c:a2:ab:49:43:
<                     e8:1a:cd:24:64:4a:11:5a:fe:94:10:57:2a:af:f6:
<                     28:a0:0a:32:3e:09:a2:1c:60:f0:39:62:40:78:3b:
<                     9f:69:0e:ca:64:71:72:f5:00:16:ba:63:57:2b:85:
<                     dd:fb:2b:93:28:7f:fe:77:9f:a6:ff:6e:38:9b:65:
<                     94:c4:34:59:53:33:4d:47:58:88:e1:fb:55:c8:48:
<                     6d:19:e6:f3:84:6d:34:cd:93:88:e5:d2:70:2c:bc:
<                     cd:d6:f3:56:8a:7f:04:a5:b5:c6:8c:bd:f2:b5:ef:
<                     d5:c7:ab:5a:83:ea:f2:b9:f6:9f:9e:73:55:bf:a2:
<                     14:03:f4:01:3c:11:48:9c:da:69:7e:e4:9c:01:5b:
<                     a7:03:2d:6c:dc:62:4a:72:ba:a5:18:5b:d5:64:4e:
<                     8a:65:b5:f1:6f:fa:76:eb:8e:c0:5d:4a:44:bf:65:
<                     6e:55:b1:1d:b4:dc:3f:56:db:5e:e4:2a:8b:e4:21:
<                     53:90:28:87:14:85:9e:93:82:3b:3a:e0:0f:fc:b5:
<                     35:46:52:db:6e:6e:11:68:78:9b:07:02:7d:12:49:
<                     e9:8a:47:07:f9:74:59:5d:4f:13:b2:40:6b:82:b1:
<                     08:ef:62:ef:92:b7:67:2d:6e:10:33:2f:8d:e8:aa:
<                     25:2f
---
>                     00:b3:40:96:2f:61:63:3e:25:c1:97:ad:65:45:fb:
>                     ef:13:42:b3:2c:99:86:f4:b5:80:0b:76:dc:06:38:
>                     2c:1f:a3:62:55:5a:36:76:de:ae:5d:fc:e2:e5:b4:
>                     e6:ec:5d:ca:ee:ca:df:50:16:24:2c:ee:fc:9a:b6:
>                     8c:f6:a8:b3:ac:7a:08:7b:2a:1f:ad:5f:e7:fa:96:
>                     59:25:ab:90:b0:f8:c2:3f:13:04:26:74:68:0f:c6:
>                     78:2a:95:8a:5f:42:f2:0e:ed:52:a6:eb:68:23:89:
>                     e5:43:f8:6d:12:1b:62:42:7b:a8:05:f3:59:c4:5e:
>                     d6:c5:cc:46:c0:4b:19:b9:2d:4a:71:72:24:1e:5e:
>                     55:44:93:ab:78:a1:47:4d:a5:dc:07:5a:9c:67:f4:
>                     11:68:12:2f:d3:28:71:bc:ad:72:05:3c:16:75:d4:
>                     f8:72:58:ba:19:f1:dc:09:ed:f1:18:c6:92:2f:7d:
>                     bc:16:0b:37:8d:8a:ef:1b:6f:4f:b9:e0:7a:54:98:
>                     bf:b5:b6:cf:bb:aa:93:7f:0a:7f:1f:56:eb:a9:d8:
>                     e1:db:d5:39:d8:18:5b:d1:f2:64:33:d0:d6:c4:23:
>                     ff:09:ab:6d:71:ce:da:cf:c1:17:9c:23:be:2c:af:
>                     2f:92:1c:3f:90:08:89:58:f2:b1:e1:10:6f:83:2e:
>                     f7:9f
67,81c67,81
<          66:9e:dc:08:c6:81:2e:91:80:d7:7a:27:a9:0f:fb:72:89:53:
<          21:b8:37:e9:f1:d6:d2:e8:98:08:01:29:ef:eb:74:19:30:6f:
<          b0:a0:8d:c3:09:ec:06:cf:65:59:0e:8f:45:a4:8f:70:b2:8a:
<          a3:71:d8:0f:eb:87:95:be:ba:22:76:3d:3c:33:62:c4:28:34:
<          6e:1a:be:de:8e:50:87:95:9c:85:ad:bf:91:b4:06:55:d6:b9:
<          e2:f7:26:a1:5e:b9:57:f4:97:97:0f:08:9e:8f:36:6e:85:9c:
<          aa:69:78:93:c0:aa:2a:ac:62:44:3f:eb:b3:4a:ee:6b:c9:63:
<          91:af:64:3f:8b:f1:b9:15:49:12:12:e4:7a:0f:ac:8c:7e:dc:
<          e8:b3:2b:ad:37:e4:d9:90:34:e0:1d:b8:5e:5c:fb:e2:fa:ed:
<          a2:11:0c:00:5b:e3:29:c6:51:7d:d6:1b:06:73:56:25:fe:20:
<          17:28:bb:dd:5c:8e:a6:bc:cf:a2:cf:56:75:f7:f0:cc:e2:c4:
<          28:57:9b:79:6c:5d:c5:63:0b:a5:47:4d:78:66:5b:0f:36:60:
<          49:70:44:75:0a:d1:76:52:9a:81:ee:02:13:39:ea:cc:a5:a1:
<          45:23:02:91:36:03:e3:46:2e:c8:ce:2c:83:1f:73:b8:e4:96:
<          e3:2b:97:3b
---
>          84:a8:9a:11:a7:d8:bd:0b:26:7e:52:24:7b:b2:55:9d:ea:30:
>          89:51:08:87:6f:a9:ed:10:ea:5b:3e:0b:c7:2d:47:04:4e:dd:
>          45:37:c7:ca:bc:38:7f:b6:6a:1c:65:42:6a:73:74:2e:5a:97:
>          85:d0:cc:92:e2:2e:38:89:d9:0d:69:fa:1b:9b:f0:c1:62:32:
>          65:4f:3d:98:db:da:d6:66:da:2a:56:56:e3:11:33:ec:e0:a5:
>          15:4c:ea:75:49:f4:5d:ef:15:f5:12:1c:e6:f8:fc:9b:04:21:
>          4b:cf:63:e7:7c:fc:aa:dc:fa:43:d0:c0:bb:f2:89:ea:91:6d:
>          cb:85:8e:6a:9f:c8:f9:94:bf:55:3d:42:82:38:4d:08:a4:a7:
>          0e:d3:65:4d:33:61:90:0d:3f:80:bf:82:3e:11:cb:8f:3f:ce:
>          79:94:69:1b:f2:da:4b:c8:97:b8:11:43:6d:6a:25:32:b9:b2:
>          ea:22:62:86:0d:a3:72:7d:4f:ea:57:3c:65:3b:2f:27:73:fc:
>          7c:16:fb:0d:03:a4:0a:ed:01:ab:a4:23:c6:8d:5f:8a:21:15:
>          42:92:c0:34:a2:20:85:88:58:98:89:19:b1:1e:20:ed:13:20:
>          5c:04:55:64:ce:9d:b3:65:fd:f6:8f:5e:99:39:21:15:e2:71:
>          aa:6a:88:82

Author

Adrian Vollmer, 2017-2019

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].