000037679 - How to view a certificate fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL for RSA Authentication Manager

Document created by RSA Customer Support Employee on Jun 28, 2019
Version 1Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000037679
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: RSA Cloud Authentication Service
IssueWhen configuring SAML SSO, some service providers require the fingerprint of the SSL certificate used to sign the SAML Assertion.

Requirements of different service providersvary. Some need a SHA-1 fingerprint, some need an MD5 fingerprint, etc. Depending on the server platform, only the SHA-1 or MD5 fingerprint/thumbprint may be displayed.
TasksOpenSSL can be used to generate the certificate fingerprint with any of the algorithms you might need. 
Resolution

This solution assumes the use of Windows.



  1. Install the latest version of OpenSSL for Windows.
  2. Open the Windows Command Line.
  3. Navigate to the OpenSSL installation directory (the default directory is C:\OpenSSL-Win32\bin).
  4. Run one of the following commands to view the certificate fingerprint/thumbprint:


  • SHA-256




    openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]


  • SHA-1




    openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]


  • MD5




    openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]


The example below displays the value of the same certificate using each algorithm:


C:\OpenSSL-Win32\bin>openssl x509 -noout -fingerprint -sha256 -inform pem -in c:\test\cert.cer
SHA256 Fingerprint=E6:5A:5D:37:22:FC:EF:EA:4B:22:92:45:BC:49:D2:29:3D:84:19:BC:C3:45:23:A1:22:A4:99:20:9D:03:E6:47
C:\OpenSSL-Win32\bin>openssl x509 -noout -fingerprint -sha1 -inform pem -in c:\test\cert.cer
SHA1 Fingerprint=1E:DD:AD:32:C3:54:3F:C3:6F:7F:94:51:8D:5E:F7:ED:7C:DB:5D:A5
C:\OpenSSL-Win32\bin>openssl x509 -noout -fingerprint -md5 -inform pem -in c:\test\cert.cer
MD5 Fingerprint=AA:6F:C8:3F:37:78:7A;BE:A6:BE:2C:51:26:16:3F:D3
C:\OpenSSL-Win32\bin>


 
NotesThe algorithm of the fingerprint/thumbprint is unrelated to the encryption algorithm of the certificate. The fingerprint/thumbprint is a identifier used by some server platforms to locate the certificate in a certificate store. You can generate a MD5 fingerprint for a SHA2 certificate. 

Attachments

    Outcomes