15

I recently learned mechanism of certificates. But I can't understand why a "thumbprint" is included in a certificate.

For intermediate and end-user certificates, it is verified by its issuer. so it can simply be calculated as the certificate itself is trusted.

For root/self-signed certificates, they're not trusted unless it is provided with the OS. So the thumbprint included is also not trusted.

I think that I just misunderstood something, can anyone point it out?

DDoSolitary
  • 355
  • 1
  • 2
  • 8
  • Related answers discussing why thumbprints are used: http://security.stackexchange.com/questions/35691/what-is-the-difference-between-serial-number-and-thumbprint and http://security.stackexchange.com/questions/116343/what-is-the-difference-between-a-certificate-a-signature-and-a-thumbprint-in-ca – Jedi Jul 16 '16 at 04:44
  • @Stalker, Can you tell what are thumbprints and how they are related with certificates? Or you can send a decent link to read. – one Jul 16 '16 at 18:18
  • 1
    @one: A thumbprint is actually the hash value of the corresponding certificate in DER format. As far as I know, thumbprints are used to locate certificates easily. When a program is requesting a certificate, instead of using its subject name or something else, it can just provide its thumbprint. I used to think they are stored in the certificates because I can see the thumbprint when opening a certificate in Windows. But now I've understood that they are calculated when they're needed.(Might be cached? I don't know.) – DDoSolitary Jul 17 '16 at 00:08

1 Answers1

23

There is no thumbprint included in the certificate. What is included is a signature which is used to build the trust chain.

The thumbprint (or fingerprint) is just a hash over the certificate to make it easier for humans to compare certificates. It is not included but computed when needed.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424