Search code examples
linuxbashsslopensslssl-certificate

How to remove SHA1 cert from chain in pem or crt file

We are sweeping our environment for Expired SHA-1 certificates in chain.

We get details of expired SHA1 cert from file with below command,

[root@webserver01~]# openssl x509 -noout -fingerprint -sha1 -enddate -inform pem. -in /etc/web01/ssl/web01_mycompany_com.pem
SHA1 Fingerprint=A2:C0:7F:DF:67:9B:EF:86:39:4E:E4:7B:D0:F8:74:36:74:CA:9F:27
notAfter=Oct  2 23:59:59 2019 GMT

How do I remove this specific expired SHA-1 cert in chain from /etc/web01/ssl/web01_mycompany_com.pem file using CLI.

So /etc/web01/ssl/web01_mycompany_com.pem file will be updated without SHA-1 cert.

Solution

  • I used https://www.sslshopper.com/certificate-decoder.html

    .pem consists of chain of certificates, We just need to figure it out which one is expire and just remove that.

    Open that .pem file in your favorite editor and copy each certificate one by one from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and paste in above site.

    enter image description here

    It will show the details of certificate. If current cert which you paste in decoder is not expired then copy next cert in .pem file and check for end date.

    Once you find the expired certs , Just remove it. Make sure remove it Begin to End. Then save file and check again with openssl command.

    Note :- make sure take backup prior to change anything in .pem file.