Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL Certificate: Signature Algorithm shows "sha256rsa" but thumbprint algorithm shows "sha1"

I have a certificate where Signature Algorithm shows "sha256rsa" but thumbprint algorithm shows"sha1". What will be the identification of my certicate SHA1/SHA2?

Thanks!

like image 202
rc reddy Avatar asked May 05 '16 02:05

rc reddy


1 Answers

TL;TR: signature and thumbprint are totally different things. For strength of the certificate thumbprint is irrelevant but signature is relevant.

The signature of a certificate is the thing the issuer creates by signing the certificate. This signature is used by the TLS stack (inside the browser) to validate the trust chain. It is important to use a strong algorithm here so that nobody can create a fake certificate which looks like it was signed by a trusted issuer (CA).

The thumbprint is just a hash over the certificate. It is mainly intended for human reception, i.e. check that the certificate is the intended one. This is usually used with self-signed certificates where the browser can not validate the certificate by itself since there is no trusted issuer and so the user should verify the certificate manually against the expected one.

A certificate has only a single signature since it has only a single issuer. But you often find multiple thumbprints for the certificate, i.e. one with MD5, one with SHA-1 and one with SHA-256. This is because the browser does not know which one you got for manual verification and that's why it offers you the most common versions.

What will be the identification of my certicate SHA1/SHA2?

The identification is the certificate itself, i.e. neither the signature not the thumbprint. But if you mean the "this certificate was signed with ...." part than this is SHA-256 in your case since what counts is the signature and not some thumbprint.

like image 191
Steffen Ullrich Avatar answered Sep 29 '22 07:09

Steffen Ullrich