is fingerprint of public cert unique?

Question

I would like to store public cert in a database, but I need an attribute of the public cert to index the public certs in the database. I would like to make this a unique field.

Is the finger print of a public cert unique?

Answer 1

The fingerprint is unique (for all practical intents); two different certificates should never share the same hash. For example, per the Windows X509certificate2.thumbprint documentation:

the thumbprint is a unique value for the certificate, it is commonly used to find a particular certificate in a certificate store.

Per the OpenSSL documentation:

Because of the nature of message digests the fingerprint of a certificate is unique to that certificate and two certificates with the same fingerprint can be considered to be the same.

Note the fingerprint is not part of the certificate. Rather, it is calculated by taking a cryptographic hash of the entire certificate (including the signature). Different cryptographic implementations may use different hashing algorithms to compute the fingerprint, and thus provide different fingerprints for the same certificate. (For example, the Windows Crypto API computes the SHA-1 hash of the certificate to compute the thumbprint, whereas OpenSSL can generate the SHA-256 or SHA-1 hash.) You will thus need to ensure that clients using the database fingerprint are using the same API, or a consistent hashing algorithm.

In theory, a duplicate fingerprint shared by multiple certificates would require a hash collision. The probability of such an event occurring by chance is astronomical. Intentionally generating such a certificate pair would require a successful preimage attack on the underlying hash function, an attack not known to be feasible on SHA-1 (see Preimage Attack).