What is the actual value of a certificate fingerprint? And how to view them?
In an x509 digital certificate, there is a "certificate fingerprint" section. It contains md5, sha1, and SHA256. How are these obtained, and during the SSL connection, how are these values checked for?
The certificate fingerprint, as displayed in the Fingerprints section when looking at a certificate with Firefox or the thumbprint in IE is the hash of the entire certificate in DER form.
- If your certificate is in PEM format, convert it to DER with OpenSSL:
- openssl x509 -in cert.crt -outform DER -out cert.cer
- Then, perform an SHA-1 hash on it (e.g. with sha1sum1):
- sha1sum cert.cer
This should produce the same result as what you see in the browser. These values are not part of the certificate, rather they are computed from the certificate. One application of these fingerprints is to validate EV certificates. In this case, the SHA-1 fingerprint of the root EV CA certificate is hard-coded in the browser (note that (a) it's the fingerprint of the root cert and (b) it has to match exactly the trust anchors shipped with the version of the browser compiled with those values).
Apart from this, these fingerprints are mostly used for identifying the certificates (for organizing them). It's the actual public keys that are used for the verification of other certificates in the chain. The digest used for signing the certificate is actually not in the certificate (only the resulting signature). See certificate structure: In this case, the signature value is computed from the DER-encoded DBS certificate (i.e. its content). When the signature algorithm is SHA1 with RSA (for example), an SHA-1 digest is computed and then signed using the RSA private key of the issuer. This SHA-1 digest has nothing to do with the fingerprint has shown by openssl x509 -fingerprint or within the browser, since it's that of the tbsCertificate section only.
How to view a certificate fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL for RSA Authentication Manager?
- This solution assumes the use of Windows.
- Install the latest version of OpenSSL for Windows.
- Open the Windows Command-Line.
- Navigate to the OpenSSL installation directory (the default directory is C:OpenSSL-Win32in).
- Run one of the following commands to view the certificate fingerprint/thumbprint:
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]
openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]