Extract and Hash Public

ssl.sh

1. Extract and Hash Public Key from Live TLS Connection (Base64 Output):
```openssl s_client -servername HOSTURL -connect mydomain.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64```
2. Extract and Hash Public Key from Local Certificate File (Base64 Output):
```openssl x509 -in ~/Downloads/certi_pem.cer   -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64```
3. Extract and Hash Public Key from Live TLS Connection (Hex Output)
```openssl s_client -servername HOSTURL -connect myhost.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der |  hexdump -v -e '/1 "%02x"'```


```
openssl s_client -servername HOSTURL -connect mydomain.com:443 \
| openssl x509 -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64
```

- openssl s_client -servername HOSTURL -connect mydomain.com:443: Initiates a TLS handshake with mydomain.com on port 443 and retrieves the server's certificate.
- openssl x509 -pubkey -noout: Extracts the public key from the certificate.
- openssl pkey -pubin -outform der: Converts the public key to DER (binary) format.
- openssl dgst -sha256 -binary: Computes the SHA-256 hash of the DER-formatted public key.
- openssl enc -base64: Encodes the binary hash output into Base64 format


```
openssl x509 -in ~/Downloads/certi_pem.cer -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64
```

- openssl x509 -in ~/Downloads/certi_pem.cer -pubkey -noout: Reads a local PEM certificate file and extracts its public key.
- The rest of the pipeline is identical to the first example: Convert to DER → hash with SHA-256 → encode in Base64.


```
openssl s_client -servername HOSTURL -connect myhost.com:443 \
| openssl x509 -pubkey -noout \
| openssl pkey -pubin -outform der \
| hexdump -v -e '/1 "%02x"'
```

- Same initial steps as the first command: connect to server, extract public key, convert to DER.
- hexdump -v -e '/1 "%02x"': Outputs the raw binary public key in hexadecimal format


Convert .p7b to .cer
If your .p7b file is in PEM format (text, starts with -----BEGIN PKCS7-----):
```openssl pkcs7 -print_certs -in yourfile.p7b -out output.cer```

If your .p7b file is in DER format (binary):
```openssl pkcs7 -print_certs -in yourfile.p7b -inform DER -out output.cer```

- print_certs: Extracts all certificates from the .p7b bundle.
- inform DER: Specifies that the input is in binary format (omit this for PEM).
- out output.cer: Saves the extracted certificates in .cer format (PEM-encoded).



detect the format of a .p7b file

```grep -q "BEGIN PKCS7" yourfile.p7b && echo "PEM format" || echo "DER format"```
or
```file yourfile.p7b```
- If the file is in PEM format (Base64-encoded text):
Output might look like: ```ASCII text```
- If the file is in DER format (binary):
Output might look like:
```data```
or 
```ASN.1 binary data```

Extract and Hash Public Key

1. Extract and Hash Public Key from Live TLS Connection (Base64 Output):
   openssl s_client -servername HOSTURL -connect mydomain.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
2. Extract and Hash Public Key from Local Certificate File (Base64 Output):
   openssl x509 -in ~/Downloads/certi_pem.cer -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
3. Extract and Hash Public Key from Live TLS Connection (Hex Output)
   openssl s_client -servername HOSTURL -connect myhost.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | hexdump -v -e '/1 "%02x"'

openssl s_client -servername HOSTURL -connect mydomain.com:443 \
| openssl x509 -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64

• openssl s_client -servername HOSTURL -connect mydomain.com:443: Initiates a TLS handshake with mydomain.com on port 443 and retrieves the server's certificate.
• openssl x509 -pubkey -noout: Extracts the public key from the certificate.
• openssl pkey -pubin -outform der: Converts the public key to DER (binary) format.
• openssl dgst -sha256 -binary: Computes the SHA-256 hash of the DER-formatted public key.
• openssl enc -base64: Encodes the binary hash output into Base64 format

openssl x509 -in ~/Downloads/certi_pem.cer -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64

• openssl x509 -in ~/Downloads/certi_pem.cer -pubkey -noout: Reads a local PEM certificate file and extracts its public key.
• The rest of the pipeline is identical to the first example: Convert to DER → hash with SHA-256 → encode in Base64.

openssl s_client -servername HOSTURL -connect myhost.com:443 \
| openssl x509 -pubkey -noout \
| openssl pkey -pubin -outform der \
| hexdump -v -e '/1 "%02x"'

• Same initial steps as the first command: connect to server, extract public key, convert to DER.
• hexdump -v -e '/1 "%02x"': Outputs the raw binary public key in hexadecimal format

Convert .p7b to .cer
If your .p7b file is in PEM format (text, starts with -----BEGIN PKCS7-----):
openssl pkcs7 -print_certs -in yourfile.p7b -out output.cer

If your .p7b file is in DER format (binary):
openssl pkcs7 -print_certs -in yourfile.p7b -inform DER -out output.cer

• print_certs: Extracts all certificates from the .p7b bundle.
• inform DER: Specifies that the input is in binary format (omit this for PEM).
• out output.cer: Saves the extracted certificates in .cer format (PEM-encoded).

detect the format of a .p7b file

grep -q "BEGIN PKCS7" yourfile.p7b && echo "PEM format" || echo "DER format"
or
file yourfile.p7b

• If the file is in PEM format (Base64-encoded text):
  Output might look like: ASCII text
• If the file is in DER format (binary):
  Output might look like:
  data
  or
  ASN.1 binary data