38

I'm toying around with a Puppet agent and a Puppet master and I've noticed that the Puppet cert utility provides a fingerprint for my agent's public key as it has requested to be signed:

$ puppet cert list
  "dockerduck" (SHA256) 1D:72:C5:42:A5:F4:1C:46:35:DB:65:66:B8:B8:06:28:7A:D4:40:FA:D2:D5:05:1A:8F:43:60:6C:CA:D1:FF:79

How do I verify that this is the right key?

On the Puppet agent, taking a sha256sum gives me something dramatically different:

$ sha256sum /var/lib/puppet/ssl/public_keys/dockerduck.pem
f1f1d198073c420af466ec05d3204752aaa59ebe3a2f593114da711a8897efa3

If I recall correctly, certificates provide checksums of their public keys in the actual key files themselves. How can I get access to a keys fingerprint(s)?

Naftuli Kay
  • 38,686
  • 85
  • 220
  • 311
  • 3
    The fingerprint of the cert isn't the hash of the pem file, it's calculated based on specific fields in the cert arranged in a specific format and order. – Dobes Vandermeer Nov 18 '15 at 19:10

2 Answers2

56

The OpenSSL command-line utility can be used to inspect certificates (and private keys, and many other things). To see everything in the certificate, you can do:

openssl x509 -in CERT.pem -noout -text

To get the SHA256 fingerprint, you'd do:

openssl x509 -in CERT.pem -noout -sha256 -fingerprint
derobert
  • 107,579
  • 20
  • 231
  • 279
  • 1
    `unable to load certificate 140640672884384:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE` Any ideas? – Naftuli Kay Jul 03 '14 at 18:06
  • @NaftuliTzviKay Maybe they're not in PEM format. What do the files look like? (or, can you generate a test one that you'll not use, and post it somewhere?) – derobert Jul 03 '14 at 18:08
  • Here's the public key referred to in the original post: http://pastebin.com/ae2Qtexc – Naftuli Kay Jul 03 '14 at 22:16
  • @NaftuliKay you need to have your certificate in form of pem format. – M_AWADI Jan 18 '19 at 13:22
  • 2
    Just in case somebody stumbled upon this and it turns out that the hashing you are looking at is longer than the one you are checking against, try other hashing algorithms like `-sha1` instead of `-sha256` – hanzo2001 Jun 04 '20 at 14:21
10

The best way to confirm the agent's fingerprint, at least in Puppet 3.6, is to run the following command in your agent:

puppet agent --fingerprint
mpaf
  • 201
  • 2
  • 4