Exporting a website certificate
Tuesday, February 10. 2015
This one was a tough one for me. Not technically, but mentally. I wrote about Java 1.7 update 51 breaking Cisco ASDM and how to fix it. Two separate users had the same problem, they didn't know how to get their hands on the Cisco certificate which is required.
My dilemma here is:
So, you're in charge of heavy machinery called a firewall, but you don't know how to get a certificate out of a website, huh!
This s a basic task for any security-minded admin, it's obvious that the skills required and skills available are pretty far from each other. Should I give instructions for this basic task, only to postpone the inevitable?
I guess I should.
Method 1: GnuTLS (the best option)
If you happen to have GnuTLS installed, it has an excellent command-line utility. This is mostly in Linux, but I have one running on Windows via Cygwin. Not all Linux distros have this one installed by default. It is easily available on all distros, though.
Example run (information has been omitted for brevity):
# gnutls-cli --print-cert blog.hqcodeshop.fi Resolving 'blog.hqcodeshop.fi'... Connecting to '81.22.252.148:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject ..., SHA-1 fingerprint `c87f57f182cd10be0d16b52c5a41c4a915593e6b' Public Key Id: c6a1e7cd6139f2ec8872e0a198b2a15a26fe1461 Public key's random art: +--[ RSA 2048]----+ | | | | | E . | | . . o . . | | . . S = | | + + B o | |ooo+ o . = | |*=o o .. o | |*o.. o. . . | +-----------------+ -----BEGIN CERTIFICATE----- MIIEqzCCA5OgAwIBAgIDAih/MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT ... nklApvqYviZIwv20nMLwHjtf71ycGZumzNNWQrECBgNWYhFuNyaNe3nzO5fym6o= -----END CERTIFICATE----- - Certificate[1] info: - subject ..., SHA-1 fingerprint `0e34141846e7423d37f20dc0ab06c9bbd843dc24' -----BEGIN CERTIFICATE----- MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT ... ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh gP8L8mJMcCaY -----END CERTIFICATE----- - Status: The certificate is trusted. - Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP256R1)-(AES-128-CBC)-(SHA256) - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-RSA - Server Signature: RSA-SHA1 - Cipher: AES-128-CBC - MAC: SHA256 - Compression: NULL - Handshake was completed - Simple Client Mode:
Just hit ctrl-d or ctrl-c when the Simple Client Mode -prompt appears. You could actually talk HTTP to the server with that, but for getting the certificate it is not needed. The cert is already out there, just copy it and save it in a file. The 2nd cert is only intermediate CA certificate and it can be downloaded from web.
If you want to see the omitted information, just run the command. A public certificate is as public as anything in the net, there is no point in trying to hide it.
Method 2: OpenSSL (the popular option)
This method will work on any Linux or Mac OS X. There are couple of OpenSSL implementations for Windows, so most boxes should be able to run this one.
Why this isn't the best option is, because OpenSSL client doesn't do proper SNI. In the example below, it returns the wrong certificate. Not the one requested. If your site isn't sharing an IP-address, this will work for you.
Example:
# openssl s_client -connect blog.hqcodeshop.fi:443 CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3 verify return:1 depth=0 OU = GT61328546, ..., CN = *.hqsting.net verify return:1 --- Certificate chain 0 s:/OU=GT61328546/.../CN=*.hqsting.net i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA --- Server certificate -----BEGIN CERTIFICATE----- MIIErjCCA5agAwIBAgIDAit7MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT ... TP3W1usGKSJ+fipYhc9ZTUFVs+g3FZ+m3Sltyfb/motM06EP6eq5heDxxPquEhaq OsY= -----END CERTIFICATE----- subject=/OU=GT61328546/.../CN=*.hqsting.net issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 2921 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-SHA256 Session-ID-ctx: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) ... Start Time: 1423326309 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE
Just hit ctrl-d or ctrl-c at the prompt. Again, you're at the HTTP-mode now and could talk to the web-server. The certificate is waiting on the screen to be copied and saved to a file.
Method 3: Firefox (the easy option)
Exporting a certificate of a website is implemented in Firefox browser.
Click the lock-symbol:
A small dialog will open. Select More information:
A big dialog with lot of information about the site will open up. One of the options is to View Certificate. Select it:
Step 4:
Select the bottom sertificate and export it. It will open a save as -dialog:
That's it! Now you have the certificate saved.
Dark on :
Nice blog!
I found your blog looking for ... well let me explain.
I moved to Finland a few months ago (ah ... love). Left everything behind from my home country, family, friends and ... pc's, servers, switches, routers, UPS's, etc. All of that stuff that just weighs tons and doesn't fit in a new small appartment.
So here I am now, with the bare minimum. A Windows laptop, a Linux laptop, a load of USB drives and a few Raspberry Pi's.
I didn't have much time to fool around with techno stuff but now that things are slowing down I am starting to get back into it. So I decided to make use of one of the Pi's.
I wanted to run an XMPP server for an Android app I'm looking to create. I first downloaded a few clients on my phones, downloaded and fired up OpenFire on the Windows laptop. I created 2 users and logged them in. Messages were sent and recived. Yay. Then I moved to the Pi. Similar thing, I installed ejabberd, created 2 users and messaged them.
This was all on the local home network. Now we come to the part about how I found your blog.
Of course I want to approach this from the outside world. So I need to open up ports to the Pi. And that's when I started to actually look at my ... B593-S22.
I didn't pay much attention to it when I got here. Just gave it a quick look, saw that the usual options were available and went on to things that needed more immediate attention. But now things have settled down a bit.
Opening a port? Easy enough! Wrong. The B593-S22 seems to ignore every (security) setting I make. Even putting a device in DMZ doesn't change a thing. Can't approach it from the outside world. On the homepage it also seems to report the incorrect public IP address.
Like you (as I have read, I think) I subscribe to Elisa, 4G. The firmware is "up to date", which is a build from 2013. And to my frustration there is very little information about this device out there. Especially about firmware.
So I found your blog and I am very interested in it. Curently mainly in the B593 stuff but all the rest too.
I had a quick look at the FTP-trick to enable SSH login. But in my build that is not an option. I can't set the path to ../.., I can only select paths from the inserted USB device from a menu. Perhaps it works with POST settings, I didn't try yet.
Anyway, that's where I am at the moment. In life and in Finland
I was wondering if you are interested in exploring this B593-S22 with me. Perhaps we can learn more about it and you can make it into another B593 post. If that is the case, please leave a reply here and I can send you more details about the router along with screenshots and an email address (the one used here for the comment is a spam address, don't bother emailing )
I'll be reading more of your posts as the days go by. Thanks for the nice work and spreading the info.
Have a good day!
Jari Turkia on :
When it comes to B593 s-22 read this first: https://blog.hqcodeshop.fi/archives/151-Huawei-B593-Logging-into-shell-Solved!.html#c1333
So, there is a huge difference between u-12 and s-22. And you're out of luck, you have the difficult one. Anyway, I'm always interested in exploring a s-22. I borrowed one, but need to return it in a while.
Dark on :
At one point I did think "well they wouldn't block this on 4G would they..? Nah, can't be. I've never heard of that before and I'm paying for this service ... must be a router issue."
I was so convinced of that, that I went with the router issue.
I've never heard of a provider blocking incoming traffic. In my home country there was a provider that blocked it on ports lower than 1000. So by anoyingly having to use ports >1000 this was 'fixed'. They stopped doing that years ago by the way. So this is rather new to me.
Perhaps they indicate it on their website but I don't speak enough Finnish yet (and studying the language, not any time soon I may add) to get it all.
Thanks for pointing to the comment. That about sums it up for me at the moment. Not giving up yet but as I'm going to Vietnam in 2 days I will spend those in another way. If you live nearby I don't mind lending you our S22, you can have it for 2 weeks. After that we'll be back.
Just for info sake, not sure if you are keeping track of actual firmware releases for the S22, but this is mine:
Hardware version: Ver.B
Firmware version: V200R001B180D20SP05C260
Jari Turkia on :
The s-22 isn't as interesting from hacking point of view as u-12 is. There are not tools to mod the firmware. I don't keep track of the firmwares anyway, as there aren't that many available to download.
Dark on :
22/tcp open ssh Dropbear sshd 0.50 (protocol 2.0)
23/tcp filtered telnet
53/tcp open tcpwrapped
80/tcp open http?
443/tcp open ssl/https?
631/tcp filtered ipp
3000/tcp open ppp?
8081/tcp filtered blackice-icecap
You mentioned that Dropbear probably uses /etc/passwd instead of curcfg.xml, adding to the difficulty.
I do get a login prompt over SSH but without the password it's of little use. I tried, they were not silly enough to use any defaults
Jari Turkia on :
I'm trying to incorporate that into my exploit too, but haven't found the time yet. See: https://blog.hqcodeshop.fi/archives/227-u-12-pre-SP100-exploits-in-a-single-tool.html for the info about the tool.
Philip Hall on :