Search code examples
sslsha256

How to properly compute the fingerprint of a certificate

I have a CA like this in file file.pem:

-----BEGIN CERTIFICATE-----
MIIDczCCAlugAwIBAgIHALRRMXUkMTANBgkqhkiG9w0BAQ0FADBHMRswGQYDVQQD
DBJIdHRwQ2FuYXJ5IFJvb3QgQ0ExEzARBgNVBAoMCkh0dHBDYW5hcnkxEzARBgNV
BAsMCkh0dHBDYW5hcnkwHhcNMjAwMTE1MDc1MjUwWhcNMzEwMTEyMDc1MjUwWjBH
MRswGQYDVQQDDBJIdHRwQ2FuYXJ5IFJvb3QgQ0ExEzARBgNVBAoMCkh0dHBDYW5h
cnkxEzARBgNVBAsMCkh0dHBDYW5hcnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDpDLS2xbpRfTgCPn9Xz0PdWNdppo7vUltGQlzJfD0FQZsyiCU3sYAe
oRGaInwgS4knBEt/9hxaLC8ivz9UlXWIhg8Xy4g+J463HfD4kP2fQElHfo+SlFwc
flkIVKgOB/rMgFMp6LH9YP+bmYMy3ndXYkTkYAGL6Q2EWO90HQLYkt2pm5ij7755
vp8Dksc7LHnHo0sqzrpB953Sx5dVTSyQ91fU3scxo8xvcJQG/vYfbEJA6rZunlLO
3NG8i8JhEYpEjWlf7MV0WIjlPk2vMCHKei/Wyd0msrmL12vjOl3IxMSZQn76SZ1k
+l9E+wuaAw61DnrzD2gkF3yfCNHr8xsrAgMBAAGjZDBiMB0GA1UdDgQWBBQpj7CB
UKauWN0/B4d2jAQxbmjTpDAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBtjAj
BgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQEN
BQADggEBAKjH9gYYRg+BLXqey9FGd7mR5hCC3lB7NfLEyJULlAoLgzdGieXfcwdX
Qe5clq6Wfk35v2VxVBg1j/oxZYZyJxFvWiuJ840FHgOb5kD7qTS7i735PCbAyCVf
uSTonQw0Ny8gnjoTijjO/Dh0O6j2wr2kIHORdC2H4Kbya7jyriqY/M/tiuolDyBc
4RWW52pmDdFi+DMvdroRMaE/1fzDiYRB4ongMNLm7fytGTg9Dakhy7o4OC+dmlGm
miUEQIACm2cWrfI1/tjwh+BpbXG91i8y8FPA4YZ2iNmF1133dJhjNx66LETOfJA5
9dZqO1SpbFk4NVpI4UYzfzMdpqw2KgM=
-----END CERTIFICATE-----

And I want the hash of this with a SHA-256 hash value to have something like this:

"certificate_hash": "8eb1ec754c1d04af13efa97da1be05c90f1342e5"

But I don’t know how to do that. I know the hexadecimal value of my CA and tried to check with the final result of the convert, but it’s not the same. How can I have the SHA-256 hash value from this CA?

Signed SHA-256 hash value:

B2:62:DC:C4:F2:4A:AA:51:C9:5C:00:6C:0F:27:19:00:DE:42:3D:D3:8C:79:72:89:9A:8D:89:37:84:2E:1E:58

Signed SHA-1 hash value:

84:29:CA:F9:EE:3A:3C:CB:4A:08:42:66:0E:BA:2D:84:FC:B4:E5:51
Solution

  • You have a PEM encoded certificate. To compute the fingerprint, one first need to decode it from the PEM representation into a binary. For this, the header and footer (starting with -----) need to be removed and the rest need to be decoded as Base64. From the resulting binary the SHA-1 or SHA-256 hash values can then be computed.

    In short, on the Linux command line (with shell prompt "$"):

    $ grep -v ^- cert.pem  | base64 -d | sha256sum
b262dcc4f24aaa51c95c006c0f271900de423dd38c7972899a8d8937842e1e58 -

$ grep -v ^- cert.pem  | base64 -d | sha1sum
8429caf9ee3a3ccb4a0842660eba2d84fcb4e551  -

    The b262dc... is exactly the same as the B2:62:DC:... from your question, only different.

    Of course, one could also simply use openssl x509:

    $ openssl x509 -in cert.pem -fingerprint -sha256
SHA256 Fingerprint=B2:62:DC:C4:F2:4A:AA:51:C9:5C:00:6C:0F:27:19:00:DE:42:3D:D3:8C:79:72:89:9A:8D:89:37:84:2E:1E:5

$ openssl x509 -in cert.pem -fingerprint -sha1
SHA1 Fingerprint=84:29:CA:F9:EE:3A:3C:CB:4A:08:42:66:0E:BA:2D:84:FC:B4:E5:51