The SHA-1 fingerprint of a certificate is simply the SHA-1 digest value of its DER representation.
- If your certificate is in PEM format, you'd need to convert it in DER format first (this is a base-64 decoding).
- Then, use a SHA-1 digest algorithm (in whichever language you're using) on this DER document.
For example, if you get the fingerprint with OpenSSL directly, you would get this:
$ openssl x509 -fingerprint -in GeoTrust_Global_CA_2.pem -noout
SHA1 Fingerprint=A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D
If you convert the same certificate into DER and then compute its SHA-1 digest, you'll get the same result:
$ openssl x509 -in GeoTrust_Global_CA_2.pem -outform DER | sha1sum
a9e9780814375888f20519b06d2b0d2b6016907d -
(openssl ... -outform DER
produces a DER output on stdout, and sha1sum
is a common utility for computing SHA-1 digests from its stdin.)