You can use the normal validation routines (see How do you verify a public key was issued by your private CA?), like the -verify function in OpenSSL does. You need to create a lookup method (X509_LOOKUP_METHOD) like X509_LOOKUP_file(), but which works with a character string instead of a filename. The code for X509_LOOKUP_buffer() is as … Read more
Ok problem solved! The solution is this: First get the self-signed certificate from the mail server via openssl: echo | openssl s_client -connect yoursever:port 2>&1 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > yourcert.pem Then save the yourcert.pem file into this path /Library/Java/Home/lib/security (on macOSX) and put the cert file into the cacerts like this keytool … Read more
Since this is a programming web-site, i wanted to explain how to calculate the public key hash for Public Key Pinning. This is important because the algorithm is completely undocumented. (It’s not even documented by the canonical RFC 7469 Public Key Pinning Extension for HTTP ! The RFC simply says “Use OpenSSL”. That is a … Read more
I realize that this is a very late (and long) answer. But considering how well this question seems to rank in search engine results, I figured it might be worth writing a decent answer for. A lot of what you will read below is borrowed from this demo and the OpenSSL docs. The code below … Read more
To fix this, you need to supply an extra parameter to openssl when you’re creating the cert, basically -sha256 -extfile v3.ext where v3.ext is a file like so, with %%DOMAIN%% replaced with the same name you use as your Common Name. More info here and over here. Note that typically you’d set the Common Name … Read more