This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How to view a certificate fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL for RSA Authentication Manager

Article Number

000037679

Applies To

RSA Product Set: SecurID Access
RSA Product/Service Type: RSA Cloud Authentication Service

Issue

When configuring SAML SSO, some service providers require the fingerprint of the SSL certificate used to sign the SAML Assertion.

Requirements of different service providersvary. Some need a SHA-1 fingerprint, some need an MD5 fingerprint, etc. Depending on the server platform, only the SHA-1 or MD5 fingerprint/thumbprint may be displayed.

Task

OpenSSL can be used to generate the certificate fingerprint with any of the algorithms you might need. 

Resolution

This solution assumes the use of Windows.

  1. Install the latest version of OpenSSL for Windows.
  2. Open the Windows Command Line.
  3. Navigate to the OpenSSL installation directory (the default directory is C:\OpenSSL-Win32\bin).
  4. Run one of the following commands to view the certificate fingerprint/thumbprint:

  • SHA-256

    
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]

  • SHA-1

    
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]

  • MD5

    
openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]

The example below displays the value of the same certificate using each algorithm: 

C:\OpenSSL-Win32\bin>openssl x509 -noout -fingerprint -sha256 -inform pem -in c:\test\cert.cer
SHA256 Fingerprint=E6:5A:5D:37:22:FC:EF:EA:4B:22:92:45:BC:49:D2:29:3D:84:19:BC:C3:45:23:A1:22:A4:99:20:9D:03:E6:47
C:\OpenSSL-Win32\bin>openssl x509 -noout -fingerprint -sha1 -inform pem -in c:\test\cert.cer
SHA1 Fingerprint=1E:DD:AD:32:C3:54:3F:C3:6F:7F:94:51:8D:5E:F7:ED:7C:DB:5D:A5
C:\OpenSSL-Win32\bin>openssl x509 -noout -fingerprint -md5 -inform pem -in c:\test\cert.cer
MD5 Fingerprint=AA:6F:C8:3F:37:78:7A;BE:A6:BE:2C:51:26:16:3F:D3
C:\OpenSSL-Win32\bin>

 

Notes

The algorithm of the fingerprint/thumbprint is unrelated to the encryption algorithm of the certificate. The fingerprint/thumbprint is a identifier used by some server platforms to locate the certificate in a certificate store. You can generate a MD5 fingerprint for a SHA2 certificate. 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-24 12:34 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.