SSL Certificate Fingerprints (SHA-1/SHA-256)
Understand SSL certificate fingerprints — SHA-1 and SHA-256 hashes that uniquely identify a certificate. Learn how fingerprints are calculated and used for verification and pinning.
Detailed Explanation
What Is a Certificate Fingerprint?
A certificate fingerprint (also called a thumbprint) is a cryptographic hash of the entire DER-encoded certificate. It is not a field inside the certificate — it is computed from the certificate's binary content and serves as a unique identifier.
How Fingerprints Are Calculated
The fingerprint is the hash of the raw DER (binary) form of the certificate, regardless of whether you received it as PEM or DER:
# SHA-256 fingerprint
openssl x509 -in cert.pem -noout -fingerprint -sha256
# Output: SHA256 Fingerprint=2E:F4:A1:B3:...
# SHA-1 fingerprint (legacy)
openssl x509 -in cert.pem -noout -fingerprint -sha1
# Output: SHA1 Fingerprint=A3:4B:C2:...
The process is: read the DER bytes of the entire certificate, compute the hash (SHA-256 or SHA-1), and format it as colon-separated hexadecimal pairs.
SHA-256 vs SHA-1 Fingerprints
| Property | SHA-1 | SHA-256 |
|---|---|---|
| Length | 160 bits (40 hex chars) | 256 bits (64 hex chars) |
| Security | Deprecated — collision attacks demonstrated | Current standard |
| Use today | Legacy systems, backward compatibility | Preferred for all new uses |
| Example | A3:4B:C2:...:9F |
2E:F4:A1:B3:...:7D |
SHA-1 fingerprints are still widely displayed for convenience, but SHA-256 should be used for any security-sensitive comparison.
What Fingerprints Are Used For
Certificate Verification — When you install a certificate on a server, you can compare the fingerprint against the fingerprint provided by the CA to ensure the file was not tampered with during transfer.
Certificate Pinning — Applications can pin (hardcode) the expected fingerprint of a server certificate or CA certificate. If the presented certificate has a different fingerprint, the connection is rejected. This defends against man-in-the-middle attacks using rogue certificates.
Debugging — When troubleshooting certificate chains, fingerprints help you confirm that the correct certificate is being served. Two certificates with identical subject and issuer names can have different fingerprints if any field differs.
Certificate Transparency — CT logs index certificates and allow searching by fingerprint, making it easy to find a specific certificate in public logs.
Important: Fingerprint Is Not the Signature
The fingerprint is different from the certificate's digital signature. The signature is created by the CA using its private key and is embedded inside the certificate. The fingerprint is computed locally by anyone who has the certificate and is not part of the certificate itself.
Use Case
Use certificate fingerprints to verify that the certificate installed on your server matches the one issued by your CA, detect tampering, or implement certificate pinning in mobile applications.