Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to get SSL-Certificate sha1 fingerprint?

How can I get the sha-1 fingerprint, as here:

// A.T. C.     
{ { { 0xf9, 0xb5, 0xb6, 0x32, 0x45, 0x5f, 0x9c, 0xbe, 0xec, 0x57,
    0x5f, 0x80, 0xdc, 0xe9, 0x6e, 0x2c, 0xc7, 0xb2, 0x78, 0xb7 } },
{"1.3.6.1.4.1.34697.2.1", ""},  },

from Chromium source (net/cert/ev_root_ca_metadata.cc). If the Crypto?

When I try, I always get this

04:A0:56:A9:87:64:BB:DC:96:BF:6D:B0:49:FA:80:81:ED:06:8A:1E

Which program can I use for this and what is the name of the command, to get this in crypto?

EDIT

I will add a certificate as EV in firefox / chromium.

like image 484
user3586278 Avatar asked Apr 29 '14 17:04

user3586278


People also ask

How do I get a SHA-1 certificate fingerprint?

Open a terminal and run the keytool the utility provided with Java to get the SHA-1 fingerprint of the certificate. You should get both the release and debug certificate fingerprints.

How do I get a fingerprint SSL certificate?

At the left side of the browser's address bar, click on the lock symbol. In the pop-up dialog box, click Certificate. On the Certificate dialog box, click the Details tab. In the list box on the details page, scroll down until the word Thumbprint is visible in the list and then click Thumbprint.

How can I get SHA-1 fingerprint for my website?

Click the “Security” icon/tab at the top of the “Page Info” dialog. Click “View Certificate”. Verify that the certificate's name under “Common Name (CN)” exactly matches what this GRC page shows. The SHA1 fingerprint is shown under “Fingerprints”.

What is an certificate SHA-1 fingerprint?

This article at Wikipedia explains what a SHA1 Fingerprint is. In a nutshell it is a unique way to identify the connection that is being made to avoid any sort of possible incorrect connection, or additional security to ensure the connection is being made to the expected server.


2 Answers

The SHA-1 fingerprint of a certificate is simply the SHA-1 digest value of its DER representation.

  • If your certificate is in PEM format, you'd need to convert it in DER format first (this is a base-64 decoding).
  • Then, use a SHA-1 digest algorithm (in whichever language you're using) on this DER document.

For example, if you get the fingerprint with OpenSSL directly, you would get this:

$ openssl x509 -fingerprint -in GeoTrust_Global_CA_2.pem -noout
SHA1 Fingerprint=A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D

If you convert the same certificate into DER and then compute its SHA-1 digest, you'll get the same result:

$ openssl x509 -in GeoTrust_Global_CA_2.pem -outform DER | sha1sum
a9e9780814375888f20519b06d2b0d2b6016907d  -

(openssl ... -outform DER produces a DER output on stdout, and sha1sum is a common utility for computing SHA-1 digests from its stdin.)

like image 79
Bruno Avatar answered Oct 16 '22 12:10

Bruno


1.3.6.1.4.1.34697.2.1

1.3.6.1.4.1.34697.2.1 is one certificate manufacture's OID for an EV certificate. Different issuers use different OIDs to denote the EV certificate. There's a question that lists a collection of the EV OIDS here.


Which program can I use for this and what is the name of the command,

To get the fingerprint, try OpenSL's x509 utility:

$ openssl x509 -in sub.class1.server.ca.pem -fingerprint -noout
SHA1 Fingerprint=F6:91:FC:87:EF:B3:13:53:54:22:5A:10:E1:27:E9:11:D1:C7:F8:CF

In the command above, sub.class1.server.ca.pem is Startcom's Class 1 Server intermediate signing certificate. The cert can be downloaded here.

like image 32
jww Avatar answered Oct 16 '22 13:10

jww