Article Number | 000037679 |
Applies To | RSA Product Set: SecurID Access RSA Product/Service Type: RSA Cloud Authentication Service |
Issue | When configuring SAML SSO, some service providers require the fingerprint of the SSL certificate used to sign the SAML Assertion.
Requirements of different service providersvary. Some need a SHA-1 fingerprint, some need an MD5 fingerprint, etc. Depending on the server platform, only the SHA-1 or MD5 fingerprint/thumbprint may be displayed. |
Tasks | OpenSSL can be used to generate the certificate fingerprint with any of the algorithms you might need. |
Resolution | This solution assumes the use of Windows.
- Install the latest version of OpenSSL for Windows.
- Open the Windows Command Line.
- Navigate to the OpenSSL installation directory (the default directory is C:\OpenSSL-Win32\bin).
- Run one of the following commands to view the certificate fingerprint/thumbprint:
SHA-256
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]
SHA-1
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]
MD5
openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]
The example below displays the value of the same certificate using each algorithm:
C:\OpenSSL-Win32\bin>openssl x509 -noout -fingerprint -sha256 -inform pem -in c:\test\cert.cer SHA256 Fingerprint=E6:5A:5D:37:22:FC:EF:EA:4B:22:92:45:BC:49:D2:29:3D:84:19:BC:C3:45:23:A1:22:A4:99:20:9D:03:E6:47 C:\OpenSSL-Win32\bin>openssl x509 -noout -fingerprint -sha1 -inform pem -in c:\test\cert.cer SHA1 Fingerprint=1E:DD:AD:32:C3:54:3F:C3:6F:7F:94:51:8D:5E:F7:ED:7C:DB:5D:A5 C:\OpenSSL-Win32\bin>openssl x509 -noout -fingerprint -md5 -inform pem -in c:\test\cert.cer MD5 Fingerprint=AA:6F:C8:3F:37:78:7A;BE:A6:BE:2C:51:26:16:3F:D3 C:\OpenSSL-Win32\bin> |
Notes | The algorithm of the fingerprint/thumbprint is unrelated to the encryption algorithm of the certificate. The fingerprint/thumbprint is a identifier used by some server platforms to locate the certificate in a certificate store. You can generate a MD5 fingerprint for a SHA2 certificate. |