Discussion:
x509 fingerprint or thumbprint calculation
Oscar So
2006-04-04 05:07:14 UTC
Permalink
Hi,

I know that to calculate the fingerprint of an x509 certificate is to hash
(SHA1 and MD5)
the PEM format of an x509 certificate.
However, I am not sure if I should hash the whole PEM file or leave the
header and footer alone. For example, should I leave the header "-----BEGIN
CERTIFICATE-----" and
footer "-----END CERTIFICATE-----" alone, and then just hash anything in
between ?
I am having trouble trying to figure out a way to compute the hash value.
I tried so many things!

Thanks,
Oscar
Weijun Max Wang
2006-04-04 06:55:09 UTC
Permalink
The input to the hash should be the base64-decoded value of the lines
between ----XXXXX CERTIFICATE-----, like this --

openssl x509 -in cer.cert -text | perl -ne 'print if /BEGIN/../END/' |
openssl base64 -d | openssl md5 -hex

Max
Post by Oscar So
Hi,
I know that to calculate the fingerprint of an x509 certificate is to
hash (SHA1 and MD5)
the PEM format of an x509 certificate.
However, I am not sure if I should hash the whole PEM file or leave the
header and footer alone. For example, should I leave the header
"-----BEGIN CERTIFICATE-----" and
footer "-----END CERTIFICATE-----" alone, and then just hash anything in
between ?
I am having trouble trying to figure out a way to compute the hash value.
I tried so many things!
Thanks,
Oscar
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Dr. Stephen Henson
2006-04-04 14:45:18 UTC
Permalink
Post by Oscar So
Hi,
I know that to calculate the fingerprint of an x509 certificate is to hash
(SHA1 and MD5)
the PEM format of an x509 certificate.
However, I am not sure if I should hash the whole PEM file or leave the
header and footer alone. For example, should I leave the header "-----BEGIN
CERTIFICATE-----" and
footer "-----END CERTIFICATE-----" alone, and then just hash anything in
between ?
I am having trouble trying to figure out a way to compute the hash value.
I tried so many things!
All of your questions should be asked in openssl-users not openssl-dev.

The function X509_digest() will give you the fingerprint of the certifcate.
openssl x509 -in cert.pem -noout -fingerprint
openssl x509 -in cert.pem -noout -sha1 -fingerprint

It is the hash of the DER (binary) form of the certificate which is the stuff
between those lines base64 decoded.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Loading...