Extract Public Key from X.509 Certificate as Hex

X.509 certificates are common way to exchange and distribute public key information. For example, most Open Social containers use the OAuth RSA-SHA1 signature method, and distribute their public keys in the X.509 format.

While working on an AppEngine application, I needed to verify requests from such containers. However, there is (currently) no pure python library able of parsing the certificates. This meant that I needed extract the public key out of the certificate manually, and store it in some parsed way inside the Python code.

Fortunately, parsing public keys form a X.509 certificate and representing them as a Hex number turned out simple and easy.

openssl x509 -modulus -noout < pub.cer | sed s/Modulus=/0x/

Just replace pub.cer with the certificate file you want to parse. For example (I’ve used Orkut’s certificate):

$ openssl x509 -modulus -noout < pub.1199819524.-1556113204990931254.cer | sed s/Modulus=/0x/
0xB1E057678343866DB89D7DEC251899261BF2F5E0D95F5D868F81D600C9A101C9E6DA20606290228308551ED3ACF9921421DCD01EF1DE35DD3275CD4983C7BE0BE325CE8DFC3AF6860F7AB0BF32742CD9FB2FCD1CD1756BBC400B743F73ACEFB45D26694CAF4F26B9765B9F65665245524DE957E8C547C358781FDFB68EC056D1

and all I’ve to do is to copy the result into my Python code (isn’t Python’s unbounded integers great?).

8 thoughts on “Extract Public Key from X.509 Certificate as Hex”

  1. I am trying to do the same with another opensocial container and getting following error:

    C:\Program Files\GnuWin32\bin>openssl x509 -modulus -noout < lokalistenPublicKey
    v1.pem | sed s/Modulus=/0x/
    unable to load certificate
    3476:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib
    .c:647:Expecting: TRUSTED CERTIFICATE

    Can you help?

  2. Hi,

    It looks like the certificate you have is not in the right format, or it might be corrupted. Which container are you trying to use?

  3. http://lokalisten.de/

    I found a public key on developer forum from one of lokalisten.de team member, here are its contents:

    —–BEGIN PUBLIC KEY—–
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZzI/zgAlC2cYWJBoXhpJOmeB+
    djBDLhncgYlNQLNLjkS1L2cc9SLJUPz3dXmFxie6x8rxdB4XxEG8bsDejDptJe9S
    /zrymlH5OgFEqyas+qqo58xHnCFGX8FVbbHOmMEj9qom3HK+QUgNrA7zcP0rXuB5
    OzleBGV3OsvMgTQzVwIDAQAB
    —–END PUBLIC KEY—–

  4. [root@hadoop_m ca]# openssl x509 -in client4.crt -pubkey
    —–BEGIN PUBLIC KEY—–
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8umK3S5fOhGJsu4mi7VtikLL2
    sQ1xNkmmhzq/dHgc020JUq2ZhqM0R7nwBpopilPHU6sVnF0xTMHHhM/68maqZ+vu
    Uz3byFCTvTLWpbCTx6ysMGfIq43Du0xzSQaSRFBqFecJ5P5EeKewhdnyB/SUqDgI
    Zvbgq8d3E/H0b4yzAQIDAQAB
    —–END PUBLIC KEY—–

  5. I think command should be:
    openssl x509 -modulus -noout -in pub.cer | sed ‘s/Modulus=/0x/’

  6. It’s completely equivalent, mine reads the certificate from stdin, yours specifies it on the command line…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.