如何从 pem 或 crt 文件中的链中删除 SHA1 证书

Question

We are sweeping our environment for Expired SHA-1 certificates in chain.

We get details of expired SHA1 cert from file with below command,

[root@webserver01~]# openssl x509 -noout -fingerprint -sha1 -enddate -inform pem. -in /etc/web01/ssl/web01_mycompany_com.pem
SHA1 Fingerprint=A2:C0:7F:DF:67:9B:EF:86:39:4E:E4:7B:D0:F8:74:36:74:CA:9F:27
notAfter=Oct  2 23:59:59 2019 GMT

How do I remove this specific expired SHA-1 cert in chain from /etc/web01/ssl/web01_mycompany_com.pem file using CLI.

So /etc/web01/ssl/web01_mycompany_com.pem file will be updated without SHA-1 cert.

Answer 1

I figured it out. I know this is not programming question but I believe this forum is not strictly restricted to programming level questions. That is the reason just adding it to answer so if anyone else come across same situation can use this solution.

I used https://www.sslshopper.com/certificate-decoder.html

.pem consists of chain of certificates, We just need to figure it out which one is expire and just remove that.

Open that .pem file in your favorite editor and copy each certificate one by one from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and paste in above site.

It will show the details of certificate. If current cert which you paste in decoder is not expired then copy next cert in .pem file and check for end date.

Once you find the expired certs, Just remove it. Make sure remove it Begin to End. Then save file and check again with openssl command.

Note:- make sure take backup prior to change anything in .pem file.