如何正确计算证书的指纹
How to properly compute the fingerprint of a certificate
嗨,我在 file.pem
中有一个类似的 CA
-----BEGIN CERTIFICATE-----
MIIDczCCAlugAwIBAgIHALRRMXUkMTANBgkqhkiG9w0BAQ0FADBHMRswGQYDVQQD
DBJIdHRwQ2FuYXJ5IFJvb3QgQ0ExEzARBgNVBAoMCkh0dHBDYW5hcnkxEzARBgNV
BAsMCkh0dHBDYW5hcnkwHhcNMjAwMTE1MDc1MjUwWhcNMzEwMTEyMDc1MjUwWjBH
MRswGQYDVQQDDBJIdHRwQ2FuYXJ5IFJvb3QgQ0ExEzARBgNVBAoMCkh0dHBDYW5h
cnkxEzARBgNVBAsMCkh0dHBDYW5hcnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDpDLS2xbpRfTgCPn9Xz0PdWNdppo7vUltGQlzJfD0FQZsyiCU3sYAe
oRGaInwgS4knBEt/9hxaLC8ivz9UlXWIhg8Xy4g+J463HfD4kP2fQElHfo+SlFwc
flkIVKgOB/rMgFMp6LH9YP+bmYMy3ndXYkTkYAGL6Q2EWO90HQLYkt2pm5ij7755
vp8Dksc7LHnHo0sqzrpB953Sx5dVTSyQ91fU3scxo8xvcJQG/vYfbEJA6rZunlLO
3NG8i8JhEYpEjWlf7MV0WIjlPk2vMCHKei/Wyd0msrmL12vjOl3IxMSZQn76SZ1k
+l9E+wuaAw61DnrzD2gkF3yfCNHr8xsrAgMBAAGjZDBiMB0GA1UdDgQWBBQpj7CB
UKauWN0/B4d2jAQxbmjTpDAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBtjAj
BgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQEN
BQADggEBAKjH9gYYRg+BLXqey9FGd7mR5hCC3lB7NfLEyJULlAoLgzdGieXfcwdX
Qe5clq6Wfk35v2VxVBg1j/oxZYZyJxFvWiuJ840FHgOb5kD7qTS7i735PCbAyCVf
uSTonQw0Ny8gnjoTijjO/Dh0O6j2wr2kIHORdC2H4Kbya7jyriqY/M/tiuolDyBc
4RWW52pmDdFi+DMvdroRMaE/1fzDiYRB4ongMNLm7fytGTg9Dakhy7o4OC+dmlGm
miUEQIACm2cWrfI1/tjwh+BpbXG91i8y8FPA4YZ2iNmF1133dJhjNx66LETOfJA5
9dZqO1SpbFk4NVpI4UYzfzMdpqw2KgM=
-----END CERTIFICATE-----
而且我希望这个带有 sha256 的散列具有类似的东西
"certificate_hash": "8eb1ec754c1d04af13efa97da1be05c90f1342e5"
但我不知道该怎么做我知道我的 CA 的十六进制并尝试检查转换的最终结果但它不一样你知道如何从这个 CA 获得 sha256 哈希吗?
signed SHA-256 :
B2:62:DC:C4:F2:4A:AA:51:C9:5C:00:6C:0F:27:19:00:DE:42:3D:D3:8C:79:72:89:9A:8D:89:37:84:2E:1E:58
signed SHA-1 :
84:29:CA:F9:EE:3A:3C:CB:4A:08:42:66:0E:BA:2D:84:FC:B4:E5:51
你拥有的是 PEM encoded certificate. To compute the fingerprint one first need to decode it from the PEM representation into a binary. For this the header and footer (starting with -----) needs to be removed and the rest need to be decoded as base64。然后可以从生成的二进制文件中计算出 SHA1 或 SHA-256 哈希值。
简而言之,在 Linux 命令行上:
$ grep -v ^- cert.pem | base64 -d | sha256sum
b262dcc4f24aaa51c95c006c0f271900de423dd38c7972899a8d8937842e1e58 -
$ grep -v ^- cert.pem | base64 -d | sha1sum
8429caf9ee3a3ccb4a0842660eba2d84fcb4e551 -
b262dc... 与您问题中的 B2:62:DC:... 完全相同,只是不同。
当然也可以直接用openssl x509:
$ openssl x509 -in cert.pem -fingerprint -sha256
SHA256 Fingerprint=B2:62:DC:C4:F2:4A:AA:51:C9:5C:00:6C:0F:27:19:00:DE:42:3D:D3:8C:79:72:89:9A:8D:89:37:84:2E:1E:5
$ openssl x509 -in cert.pem -fingerprint -sha1
SHA1 Fingerprint=84:29:CA:F9:EE:3A:3C:CB:4A:08:42:66:0E:BA:2D:84:FC:B4:E5:51
嗨,我在 file.pem
中有一个类似的 CA-----BEGIN CERTIFICATE-----
MIIDczCCAlugAwIBAgIHALRRMXUkMTANBgkqhkiG9w0BAQ0FADBHMRswGQYDVQQD
DBJIdHRwQ2FuYXJ5IFJvb3QgQ0ExEzARBgNVBAoMCkh0dHBDYW5hcnkxEzARBgNV
BAsMCkh0dHBDYW5hcnkwHhcNMjAwMTE1MDc1MjUwWhcNMzEwMTEyMDc1MjUwWjBH
MRswGQYDVQQDDBJIdHRwQ2FuYXJ5IFJvb3QgQ0ExEzARBgNVBAoMCkh0dHBDYW5h
cnkxEzARBgNVBAsMCkh0dHBDYW5hcnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDpDLS2xbpRfTgCPn9Xz0PdWNdppo7vUltGQlzJfD0FQZsyiCU3sYAe
oRGaInwgS4knBEt/9hxaLC8ivz9UlXWIhg8Xy4g+J463HfD4kP2fQElHfo+SlFwc
flkIVKgOB/rMgFMp6LH9YP+bmYMy3ndXYkTkYAGL6Q2EWO90HQLYkt2pm5ij7755
vp8Dksc7LHnHo0sqzrpB953Sx5dVTSyQ91fU3scxo8xvcJQG/vYfbEJA6rZunlLO
3NG8i8JhEYpEjWlf7MV0WIjlPk2vMCHKei/Wyd0msrmL12vjOl3IxMSZQn76SZ1k
+l9E+wuaAw61DnrzD2gkF3yfCNHr8xsrAgMBAAGjZDBiMB0GA1UdDgQWBBQpj7CB
UKauWN0/B4d2jAQxbmjTpDAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBtjAj
BgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQEN
BQADggEBAKjH9gYYRg+BLXqey9FGd7mR5hCC3lB7NfLEyJULlAoLgzdGieXfcwdX
Qe5clq6Wfk35v2VxVBg1j/oxZYZyJxFvWiuJ840FHgOb5kD7qTS7i735PCbAyCVf
uSTonQw0Ny8gnjoTijjO/Dh0O6j2wr2kIHORdC2H4Kbya7jyriqY/M/tiuolDyBc
4RWW52pmDdFi+DMvdroRMaE/1fzDiYRB4ongMNLm7fytGTg9Dakhy7o4OC+dmlGm
miUEQIACm2cWrfI1/tjwh+BpbXG91i8y8FPA4YZ2iNmF1133dJhjNx66LETOfJA5
9dZqO1SpbFk4NVpI4UYzfzMdpqw2KgM=
-----END CERTIFICATE-----
而且我希望这个带有 sha256 的散列具有类似的东西
"certificate_hash": "8eb1ec754c1d04af13efa97da1be05c90f1342e5"
但我不知道该怎么做我知道我的 CA 的十六进制并尝试检查转换的最终结果但它不一样你知道如何从这个 CA 获得 sha256 哈希吗?
signed SHA-256 :
B2:62:DC:C4:F2:4A:AA:51:C9:5C:00:6C:0F:27:19:00:DE:42:3D:D3:8C:79:72:89:9A:8D:89:37:84:2E:1E:58
signed SHA-1 :
84:29:CA:F9:EE:3A:3C:CB:4A:08:42:66:0E:BA:2D:84:FC:B4:E5:51
你拥有的是 PEM encoded certificate. To compute the fingerprint one first need to decode it from the PEM representation into a binary. For this the header and footer (starting with -----) needs to be removed and the rest need to be decoded as base64。然后可以从生成的二进制文件中计算出 SHA1 或 SHA-256 哈希值。
简而言之,在 Linux 命令行上:
$ grep -v ^- cert.pem | base64 -d | sha256sum
b262dcc4f24aaa51c95c006c0f271900de423dd38c7972899a8d8937842e1e58 -
$ grep -v ^- cert.pem | base64 -d | sha1sum
8429caf9ee3a3ccb4a0842660eba2d84fcb4e551 -
b262dc... 与您问题中的 B2:62:DC:... 完全相同,只是不同。
当然也可以直接用openssl x509:
$ openssl x509 -in cert.pem -fingerprint -sha256
SHA256 Fingerprint=B2:62:DC:C4:F2:4A:AA:51:C9:5C:00:6C:0F:27:19:00:DE:42:3D:D3:8C:79:72:89:9A:8D:89:37:84:2E:1E:5
$ openssl x509 -in cert.pem -fingerprint -sha1
SHA1 Fingerprint=84:29:CA:F9:EE:3A:3C:CB:4A:08:42:66:0E:BA:2D:84:FC:B4:E5:51