What's the value of a certificate fingerprint?

387    Asked by AnilJha in Cyber Security , Asked on Mar 14, 2022

 In a x509 digital certificate there is a "certificate fingerprint" section. It contains md5, sha1 and sha256. How are these obtained, and during the SSL connection, how are these values checked for?

Answered by Andrea Bailey

The certificate fingerprint, as displayed in the Fingerprints section when looking at a certificate with Firefox or the thumbprint in IE is the hash of the entire certificate in DER form.


If your certificate is in PEM format, convert it to DER with OpenSSL:

openssl x509 -in cert.crt -outform DER -out cert.cer

Then, perform a SHA-1 hash on it (e.g. with sha1sum1):

sha1sum cert.cer

This should produce the same result as what you see in the browser. These values are not part of the certificate, rather they are computed from the certificate. One application of these fingerprints is to validate EV certificates. In this case, the SHA-1 fingerprint of the root EV CA certificate is hard-coded in the browser (note that (a) it's the fingerprint of the root cert and (b) it has to match exactly the trust anchors shipped with the version of the browser compiled with those values). Apart from this, these fingerprints are mostly used for identifying the certificates (for organising them). It's the actual public keys that are used for the verification of other certificates in the chain. The digest used for signing the certificate is actually not in the certificate (only the resulting signature). See certificate structure:

   Certificate  ::=  SEQUENCE  {

        tbsCertificate       TBSCertificate,

        signatureAlgorithm   AlgorithmIdentifier,

        signatureValue       BIT STRING  }

   TBSCertificate  ::=  SEQUENCE  {

        version         [0]  EXPLICIT Version DEFAULT v1,

        serialNumber         CertificateSerialNumber,

        signature            AlgorithmIdentifier,

        issuer               Name,

        validity             Validity,

        subject              Name,

        ...

In this case, the signature value is computed from the DER encoded tbsCertificate (i.e. its content). When the signature algorithm is SHA1 with RSA (for example), a SHA-1 digest is computed and then signed using the RSA private key of the issuer. This SHA-1 digest has nothing to do with the fingerprint has shown by openssl x509 -fingerprint or within the browser, since it's that of the tbsCertificate section only. There are also a couple of unrelated extensions that can make use of digests of the public keys this time: the Subject Key Identifier and the Authority Key Identifier. These are optional (and within the TBS content of the certificate).



Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com