0

I'm following Microsoft's example here - https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth#aspnet-sample

When validating the certificate, they check that the Issuer and Subject are both correct before checking the thumbprint. As someone with only a shallow knowledge of certificates, my understanding is that the thumbprint is a hash of the whole certificate which can't be forged/duplicated?

So why can't we get away with only checking the thumbprint?

Barker1889
  • 51
  • 3
  • 1
    See also [Trusting CA Certificates by Thumbprint](https://security.stackexchange.com/questions/235020/trusting-ca-certificates-by-thumbprint) and [Custom certificate verification using thumbprint](https://security.stackexchange.com/questions/225907/custom-certificate-verification-using-thumbprint). – Sjoerd Feb 24 '21 at 10:08

1 Answers1

1

Because it is way more restrictive...

...and that might not be what you want. To be clear, you absolutely can, but that means whenever you change the certificate, you need to also change who you trust.

Verification of the subject and CA on the other hand means that you can keep your verification logic as-is and just change the certificate itself.

You will change your certificate whenever it expires. Since certificates are usually valid for about a year (and the trend is going towards shorter certificates), that means you'd need to change your verification logic every year.