0

I am aware that I can get the fingerprint of an x509 certificate by typing
openssl x509 -in certificate.crt -noout -fingerprint

But if I try to get the fingerprint of a CSR (openssl req -in certrequest.csr -fingerprint) I get

req: Unrecognized flag fingerprint

As I understand it, the fingerprint is of the key used, so I ought to be able to get it from a .csr file. How can I do that, besides creating a custom script? Or have I misunderstood some key concept?

JoSSte
  • 123
  • 6
  • Please check the help of the x509 mode: `-fingerprint: Print the certificate fingerprint`. Of course that will not work on a cert request as the certificate is not yet issued. – Robert Jun 03 '22 at 17:01

1 Answers1

0

Researching the hyperweb after taking a longish break bears fruit:

From ldapwiki

Certificate Fingerprint is NOT part of the Certificate but rather the hash of the DER encoded certificate

According to that definition, I cannot get the fingerprint of a csr, because it is NOT a certificate. My understanding that it was a hash of the key was erroneous, which makes sense...

JoSSte
  • 123
  • 6
  • 1
    Some X.509 certs put hash of publickey in the SubjectKeyIdentifier extension (and SKI value of issuer in AuthorityKeyIdentifier), although CSRs don't need to since CA can calculate it at issue, and it's not called fingerprint. For comparison PGP uses hash of publickey as fingerprint and its 'low'/rightmost octets as key-id in the protocol, and OpenSSH uses hash of publickey as fingerprint in the UI (but it is not used in SSH protocol). – dave_thompson_085 Jul 04 '22 at 01:10