> On 17 May 2015, at 16:10, Natxo Asenjo <natxo.ase...@gmail.com> wrote:
>
> hi,
>
> connecting to a freeipa ldap host (that uses the 389 directory server under
> the hood) I can successfully retrieve certificates belonging to hosts.
>
> I can then use Crypt::X509 to extract info from that. But how could I get the
> fingerprints? If I use the apache directory studio ldap client I can see the
> md5 and sha1 fingerprints of the attribute but I seem uncapable of getting it
> using my script.
>
> my $ldap = Net::LDAP->new( $server ) or die "$@";
>
> my $mesg = $ldap->start_tls(
> verify => 'require',
> sslversion => 'tlsv1',
> );
>
> $mesg = $ldap->bind (
> "testuser",
> password => 'pwd',
> version => 3,
> );
>
> my $search = $ldap->search(
> base => $base,
> scope => 'sub',
> filter => '(objectclass=*)',
> attr => ['usercertificate'],
> );
>
>
> for my $entry ( $search->entries) {
> my $cert = $entry->get_value( 'usercertificate' );;
> my $decoded = Crypt::X509->new ( cert => $cert );
> if ( $decoded->error ) {
> warn "Error parsing certificate: ", $decoded->error;
> }
> print "Subject: " . $decoded->subject_cn, "\n";
> print "notafter: " . gmtime( $decoded->not_after) , "\n";
> }
>
> So this works, but I see no method to get the fingerprint. Is there a way to
> get it from the info I get from ldap?
This code uses Net::SSLeay to extract a fingerprint from something like your
$cert.
http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.46/examples/x509_cert_details.pl
Chris
