Today a client sent us a new server certificate for their site. Not being involved in the process, I wasn't entirely certain that the certificate was matched to the appropriate private key. One way to test would've been to drop the new cert in place, reload the server, and see if my browser barfed. But that's far from elegant. What's the right way to make sure that two server certificates are matched to the same private key?

The elegant solution? Use openssl to parse the certificates (new and old) and make sure the public key information on the certificates match. If the public key fingerprints match, by definition the certs have the same private key. The openssl coommand here parses the cert, the awk snippet only prints the lines between the two matching expressions:
openssl x509 -in server.crt.old -noout -text |
awk '/Public Key/,/Exponent/' >/tmp/old
openssl x509 -in server.crt.new -noout -text |
awk '/Public Key/,/Exponent/' >/tmp/new
diff /tmp/old /tmp/new
# no output -- if you don't trust that, then:
paste /tmp/old /tmp/new


Using awk always makes feel fusty, but it's easier than actually thinking, Oh how would I do that in Ruby?

This week I was trying to get some timing data from a process that was being run out of cron. Being lazy, and not wanting to rewrite the process itself, I decided to try getting the elapsed time directly from the cron entry.

The original cron entry was:


* * * * * /home/peter/test.sh >/dev/null


The final entry is

* * * * * /usr/bin/time -f \%E /home/peter/test.sh 2>&1 1>/dev/null | logger -p local6.debug


Now for some dissection:


* * * * *
Run this every minute


/usr/bin/time -f \%E /some/path/script.sh
Time the command and only report the elapsed time. The bash shell has a built-in 'time' command, but I prefer the formatting of GNU time. In a regular shell script the format string would just be %E, but the '%' in a cron script means 'newline' unless you escape it with a '\' (backslash)


2>&1 1>/dev/null
Send stderr (filehandle 2) to stdout (filehandle 1), send stdout (filehandle 1, initially) to /dev/null.


| logger -p local6.debug
Pipe the stdout (the elapsed time) into logger for logging into syslog. You'd also need to add a line like this to /etc/syslogd.conf:


local6.debug /var/log/test.log
and send a 'kill -HUP' to your syslog daemon.

On the way to putting this together I came across the following little idiom that I'd used before but long forgotten. To swap standard input and standard output entirely, use:


/some/command.sh 3>&2 2>&1 1>&3-
Now for me to explain this would take me away too long from other work that must be done. Maybe later....