Have a need to extract a public key certificate from a network packet capture session (pcap)?
You can use this method to extract either the server or client side public key using Wireshark.
In my situation I had the ssl traffic using the non standard port (9443) instead of 443. To ensure your packets are correctly decoded in Wireshark, specify the ssl decoder should be used on the correct port number. Select a packet line from Wireshark, choose “Analyze” from the menu bar, select “Decode as” and the rest you can figure out.
What you want to look for in Wireshark’s main screen is an entry that says “Certificate” or “Hello, Certificate” with the “source” being the owner of the public key’s private key.
Once you find the public key, move down to Wireshark’s decode screen and drill down to “SSL” and look for the “Certificate” section with the expect common name in brackets. In my case this was “Certificate (id-at-commonName=bobby:myvpn.a)”. Right click this section and select “Export select packet bytes”, and save to file “my-client-pubkey.der”. The format of the file will be binary DER.
View x509 certificate
$ openssl x509 -inform der -in my-client-pubkey.pem -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddressfirstname.lastname@example.org Validity Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=bobby:myvpn.a Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f
This is a sample certificate.
Save to file. https://www.sslshopper.com/article-most-common-openssl-commands.html
$ openssl x509 -inform der -in certificate.der -out certificate.pem
Excellent write that I used to help me http://blog.stalkr.net/2010/03/codegate-decrypting-https-ssl-rsa-768.html
One thought on “Extract SSL/TLS public certificate from pcap”
Pingback: Extract iOS private keys | youremindmeofmymother