How to get SSL-Certificate sha1 fingerprint?

StackOverflow https://stackoverflow.com/questions/23371619

Question

How can I get the sha-1 fingerprint, as here:

// A.T. C.     
{ { { 0xf9, 0xb5, 0xb6, 0x32, 0x45, 0x5f, 0x9c, 0xbe, 0xec, 0x57,
    0x5f, 0x80, 0xdc, 0xe9, 0x6e, 0x2c, 0xc7, 0xb2, 0x78, 0xb7 } },
{"1.3.6.1.4.1.34697.2.1", ""},  },

from Chromium source (net/cert/ev_root_ca_metadata.cc). If the Crypto?

When I try, I always get this 

04:A0:56:A9:87:64:BB:DC:96:BF:6D:B0:49:FA:80:81:ED:06:8A:1E

Which program can I use for this and what is the name of the command, to get this in crypto?

EDIT

I will add a certificate as EV in firefox / chromium.

Was it helpful?

Solution

The SHA-1 fingerprint of a certificate is simply the SHA-1 digest value of its DER representation.

  • If your certificate is in PEM format, you'd need to convert it in DER format first (this is a base-64 decoding).
  • Then, use a SHA-1 digest algorithm (in whichever language you're using) on this DER document.

For example, if you get the fingerprint with OpenSSL directly, you would get this:

$ openssl x509 -fingerprint -in GeoTrust_Global_CA_2.pem -noout
SHA1 Fingerprint=A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D

If you convert the same certificate into DER and then compute its SHA-1 digest, you'll get the same result:

$ openssl x509 -in GeoTrust_Global_CA_2.pem -outform DER | sha1sum
a9e9780814375888f20519b06d2b0d2b6016907d  -

(openssl ... -outform DER produces a DER output on stdout, and sha1sum is a common utility for computing SHA-1 digests from its stdin.)

OTHER TIPS

1.3.6.1.4.1.34697.2.1

1.3.6.1.4.1.34697.2.1 is one certificate manufacture's OID for an EV certificate. Different issuers use different OIDs to denote the EV certificate. There's a question that lists a collection of the EV OIDS here.

Which program can I use for this and what is the name of the command,

To get the fingerprint, try OpenSL's x509 utility:

$ openssl x509 -in sub.class1.server.ca.pem -fingerprint -noout
SHA1 Fingerprint=F6:91:FC:87:EF:B3:13:53:54:22:5A:10:E1:27:E9:11:D1:C7:F8:CF

In the command above, sub.class1.server.ca.pem is Startcom's Class 1 Server intermediate signing certificate. The cert can be downloaded here.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top