Knowing your certificate’s fingerprint and serial number is highly useful when requesting a certificate to be revoked. This information is usually required by the Certificate Authority (CA) that issued your certificate.
To get more detailed information about certificate revocation, you can check out this SSL.com guide: Digital Certificate Revocation.
If you want to submit a certificate revocation request, please use this SSL.com tool: Certificate Problem Report
Notes:
1) In the commands below, replace cert.filetype with the certificate’s name plus file type (i.e. .pem, .crt, .der)
2) In some machines, some variables in the commands will have to be modified as follows:
openssl will be replaced by the folder path of the openssl.exe file enclosed in double quotation marks, example: “C:\Program Files\OpenSSL-Win64\bin\openssl.exe”
cert.filetype will be replaced by the file path of the certificate, enclosed in double quotation marks, example: “C:\Users\Admin\Documents\PEM files\pemfile.pem”
3) For versions before OpenSSL 3.0, specifying the input file format is required by adding inform DER|PEM.
1. Command to print the certificate SHA1 fingerprint.
Example output:
2. Command to print the certificate SHA256 fingerprint:
Example output:
3. Command to print the certificate md5 fingerprint:
Example output:
4. Command to print the certificate serial number in hex format.
Example output:
Example:
0x51EAFEB18805F42568699A71EB3755CB
Output:
What is the Certificate Fingerprint?
A certificate’s fingerprint is its unique digital identifier. Microsoft refers to it as the Thumbprint. It is computed from the certificate, and created using a hash function like SHA1 or SHA256. This process converts the certificate’s data into a fixed-length string. Even the slightest change to the certificate results in a completely different fingerprint, making it a reliable way to verify authenticity and detect alterations.What is the Serial Number of a Digital Certificate
A digital certificate’s serial number is a distinct identifier assigned by the Certificate Authority (CA) that issued it. This number is exclusive within that specific CA, ensuring that no two certificates issued by the same CA share the same serial number.Ways to Locate your Certificate’s Fingerprint and Serial Number
OpenSSL
OpenSSL is a widely utilized open-source command-line utility that facilitates various cryptographic operations. It plays a crucial role in managing SSL/TLS certificates, including generating private keys, creating Certificate Signing Requests (CSRs), and installing digital certificates. Additionally, OpenSSL enables users to inspect certificate details efficiently. One of its key functionalities is extracting the certificate fingerprint and serial number. Listed below are OpenSSL commands to display the fingerprint in SHA1, SHA256, and md5 formats, and the serial number in hex format.Notes:
1) In the commands below, replace cert.filetype with the certificate’s name plus file type (i.e. .pem, .crt, .der)
2) In some machines, some variables in the commands will have to be modified as follows:
openssl will be replaced by the folder path of the openssl.exe file enclosed in double quotation marks, example: “C:\Program Files\OpenSSL-Win64\bin\openssl.exe”
cert.filetype will be replaced by the file path of the certificate, enclosed in double quotation marks, example: “C:\Users\Admin\Documents\PEM files\pemfile.pem”
3) For versions before OpenSSL 3.0, specifying the input file format is required by adding inform DER|PEM.
OpenSSL Commands to Extract the Fingerprint and Serial Number
1. Command to print the certificate SHA1 fingerprint.
openssl x509 -sha1 -in cert.filetype -noout -fingerprintExample output:
sha1 Fingerprint=18:94:C3:9A:15:B3:DC:99:83:DC:B2:6E:76:25:A4:E3:9B:9F:EB:4D
2. Command to print the certificate SHA256 fingerprint:
openssl x509 -sha256 -in cert.filetype -noout -fingerprint
Example output:
sha256 Fingerprint=ED:C4:64:53:4B:E2:6E:BA:BB:FD:D0:58:AA:ED:6B:FE:D8:DE:DD:82:39:D5:A3:9D:5A:2E:80:7E:78:1A:DD:233. Command to print the certificate md5 fingerprint:
openssl x509 -md5 -in cert.filetype -noout -fingerprint
Example output:
md5 Fingerprint=F1:39:CE:06:F3:83:BB:18:36:80:29:62:57:8F:5D:E9
4. Command to print the certificate serial number in hex format.
openssl x509 -in cert.filetype -noout -serial
Example output:
serial=51EAFEB18805F42568699A71EB3755CBAdditional Methods to Locate the Certificate Fingerprint and Serial Number
Powershell
If the certificate is installed in Windows:- Open Powershell.
- Run the following command:
Get-ChildItem Cert:\LocalMachine\My - Under the Subject column, find the name of your certificate.
- Copy the certificate thumbprint.
- Open Powershell.
- Run the following command:
Get-FileHash cert.der -Algorithm SHA256 - Copy the certificate thumbprint.
MacOS
- Open Keychain Access.
- Find the certificate. Double-click it to display its details.
- Scroll down to the Fingerprints section. Copy the associated value for SHA-256.
Using Python
Fingerprint
If you have a certificate in DER format:import hashlib
with open("cert.der", "rb") as f:
fingerprint = hashlib.sha256(f.read()).hexdigest()
print('SHA-256 Fingerprint: ' + fingerprint)
Serial Number in Decimal Format
Convert your hex serial number to decimal by writing0x<hex serial> in the python CLI.Example:
0x51EAFEB18805F42568699A71EB3755CB
Output:
108887630920996586831636012562547955147
