This is a simple shell script that retrieves the X.509 certificate associated
with an SSL wrapped TCP port and uses openssl
to create a similar
certificate by replacing the RSA modulus and fixing the signature. This is
particularly useful if you want to demonstrate why self-signed certificates
cannot provide any security. Of course, the fingerprint of the cloned
certificate will be different... but who checks the fingerprint of a
self-signed certificate by hand?
Run the script:
$ ./clone-cert.sh www.example.com:443
/tmp/www.example.com:443.key
/tmp/www.example.com:443.cert
The new certificate is in /tmp/www.example.com:443.cert
and the corresponding
private key is in /tmp/www.example.com:443.key
. Their difference is only in
the RSA modulus and the signature:
$ diff <(openssl x509 -in /tmp/www.example.com:443.cert -noout -text) \
<(openssl s_client -connect www.example.com:443 < /dev/null 2> /dev/null \
| openssl x509 -noout -text)
16,33c16,33
< 00:c3:59:26:a5:ed:1c:2b:75:3a:0c:a2:ab:49:43:
< e8:1a:cd:24:64:4a:11:5a:fe:94:10:57:2a:af:f6:
< 28:a0:0a:32:3e:09:a2:1c:60:f0:39:62:40:78:3b:
< 9f:69:0e:ca:64:71:72:f5:00:16:ba:63:57:2b:85:
< dd:fb:2b:93:28:7f:fe:77:9f:a6:ff:6e:38:9b:65:
< 94:c4:34:59:53:33:4d:47:58:88:e1:fb:55:c8:48:
< 6d:19:e6:f3:84:6d:34:cd:93:88:e5:d2:70:2c:bc:
< cd:d6:f3:56:8a:7f:04:a5:b5:c6:8c:bd:f2:b5:ef:
< d5:c7:ab:5a:83:ea:f2:b9:f6:9f:9e:73:55:bf:a2:
< 14:03:f4:01:3c:11:48:9c:da:69:7e:e4:9c:01:5b:
< a7:03:2d:6c:dc:62:4a:72:ba:a5:18:5b:d5:64:4e:
< 8a:65:b5:f1:6f:fa:76:eb:8e:c0:5d:4a:44:bf:65:
< 6e:55:b1:1d:b4:dc:3f:56:db:5e:e4:2a:8b:e4:21:
< 53:90:28:87:14:85:9e:93:82:3b:3a:e0:0f:fc:b5:
< 35:46:52:db:6e:6e:11:68:78:9b:07:02:7d:12:49:
< e9:8a:47:07:f9:74:59:5d:4f:13:b2:40:6b:82:b1:
< 08:ef:62:ef:92:b7:67:2d:6e:10:33:2f:8d:e8:aa:
< 25:2f
---
> 00:b3:40:96:2f:61:63:3e:25:c1:97:ad:65:45:fb:
> ef:13:42:b3:2c:99:86:f4:b5:80:0b:76:dc:06:38:
> 2c:1f:a3:62:55:5a:36:76:de:ae:5d:fc:e2:e5:b4:
> e6:ec:5d:ca:ee:ca:df:50:16:24:2c:ee:fc:9a:b6:
> 8c:f6:a8:b3:ac:7a:08:7b:2a:1f:ad:5f:e7:fa:96:
> 59:25:ab:90:b0:f8:c2:3f:13:04:26:74:68:0f:c6:
> 78:2a:95:8a:5f:42:f2:0e:ed:52:a6:eb:68:23:89:
> e5:43:f8:6d:12:1b:62:42:7b:a8:05:f3:59:c4:5e:
> d6:c5:cc:46:c0:4b:19:b9:2d:4a:71:72:24:1e:5e:
> 55:44:93:ab:78:a1:47:4d:a5:dc:07:5a:9c:67:f4:
> 11:68:12:2f:d3:28:71:bc:ad:72:05:3c:16:75:d4:
> f8:72:58:ba:19:f1:dc:09:ed:f1:18:c6:92:2f:7d:
> bc:16:0b:37:8d:8a:ef:1b:6f:4f:b9:e0:7a:54:98:
> bf:b5:b6:cf:bb:aa:93:7f:0a:7f:1f:56:eb:a9:d8:
> e1:db:d5:39:d8:18:5b:d1:f2:64:33:d0:d6:c4:23:
> ff:09:ab:6d:71:ce:da:cf:c1:17:9c:23:be:2c:af:
> 2f:92:1c:3f:90:08:89:58:f2:b1:e1:10:6f:83:2e:
> f7:9f
67,81c67,81
< 66:9e:dc:08:c6:81:2e:91:80:d7:7a:27:a9:0f:fb:72:89:53:
< 21:b8:37:e9:f1:d6:d2:e8:98:08:01:29:ef:eb:74:19:30:6f:
< b0:a0:8d:c3:09:ec:06:cf:65:59:0e:8f:45:a4:8f:70:b2:8a:
< a3:71:d8:0f:eb:87:95:be:ba:22:76:3d:3c:33:62:c4:28:34:
< 6e:1a:be:de:8e:50:87:95:9c:85:ad:bf:91:b4:06:55:d6:b9:
< e2:f7:26:a1:5e:b9:57:f4:97:97:0f:08:9e:8f:36:6e:85:9c:
< aa:69:78:93:c0:aa:2a:ac:62:44:3f:eb:b3:4a:ee:6b:c9:63:
< 91:af:64:3f:8b:f1:b9:15:49:12:12:e4:7a:0f:ac:8c:7e:dc:
< e8:b3:2b:ad:37:e4:d9:90:34:e0:1d:b8:5e:5c:fb:e2:fa:ed:
< a2:11:0c:00:5b:e3:29:c6:51:7d:d6:1b:06:73:56:25:fe:20:
< 17:28:bb:dd:5c:8e:a6:bc:cf:a2:cf:56:75:f7:f0:cc:e2:c4:
< 28:57:9b:79:6c:5d:c5:63:0b:a5:47:4d:78:66:5b:0f:36:60:
< 49:70:44:75:0a:d1:76:52:9a:81:ee:02:13:39:ea:cc:a5:a1:
< 45:23:02:91:36:03:e3:46:2e:c8:ce:2c:83:1f:73:b8:e4:96:
< e3:2b:97:3b
---
> 84:a8:9a:11:a7:d8:bd:0b:26:7e:52:24:7b:b2:55:9d:ea:30:
> 89:51:08:87:6f:a9:ed:10:ea:5b:3e:0b:c7:2d:47:04:4e:dd:
> 45:37:c7:ca:bc:38:7f:b6:6a:1c:65:42:6a:73:74:2e:5a:97:
> 85:d0:cc:92:e2:2e:38:89:d9:0d:69:fa:1b:9b:f0:c1:62:32:
> 65:4f:3d:98:db:da:d6:66:da:2a:56:56:e3:11:33:ec:e0:a5:
> 15:4c:ea:75:49:f4:5d:ef:15:f5:12:1c:e6:f8:fc:9b:04:21:
> 4b:cf:63:e7:7c:fc:aa:dc:fa:43:d0:c0:bb:f2:89:ea:91:6d:
> cb:85:8e:6a:9f:c8:f9:94:bf:55:3d:42:82:38:4d:08:a4:a7:
> 0e:d3:65:4d:33:61:90:0d:3f:80:bf:82:3e:11:cb:8f:3f:ce:
> 79:94:69:1b:f2:da:4b:c8:97:b8:11:43:6d:6a:25:32:b9:b2:
> ea:22:62:86:0d:a3:72:7d:4f:ea:57:3c:65:3b:2f:27:73:fc:
> 7c:16:fb:0d:03:a4:0a:ed:01:ab:a4:23:c6:8d:5f:8a:21:15:
> 42:92:c0:34:a2:20:85:88:58:98:89:19:b1:1e:20:ed:13:20:
> 5c:04:55:64:ce:9d:b3:65:fd:f6:8f:5e:99:39:21:15:e2:71:
> aa:6a:88:82