86

I have problems to understand what is the difference between the serial number of a certificate and its SHA1 hash.

The MSDN says:

Serial number A number that uniquely identifies the certificate and is issued by the certification authority.

So can I identify a certificate by its serial number, right?

Wikipedia says for the hash:

Thumbprint: The hash itself, used as an abbreviated form of the public key certificate.

So the hash identifies the (e.g. RSA) key.

I currently do some research on Android app certificates and I found some interesting certificates:

[Issuer][Serial][SHA1 Hash][Valid From]
[C=US, L=Mountain View, S=California, O=Android, OU=Android, CN=Android, E=android@android.com][00936EACBE07F201DF][BB84DE3EC423DDDE90C08AB3C5A828692089493C][Sun, 29 Feb 2008 01:33:46 GMT]
[C=US, L=Mountain View, S=California, O=Android, OU=Android, CN=Android, E=android@android.com][00936EACBE07F201DF][6B44B6CC0B66A28AE444DA37E3DFC1E70A462EFA][Sun, 29 Feb 2008 01:33:46 GMT]
[C=US, L=Mountain View, S=California, O=Android, OU=Android, CN=Android, E=android@android.com][00936EACBE07F201DF][0B4BE1DB3AB39C9C3E861AEC1348110062D3BC1B][Sun, 29

And there are a lot more which share the same serial, but have different hashes.

So there can be a certificate with different key? Who is actually creating the serial number when creating a certificate for an Android app? For the hash it is clear, but can I create a new certificate with the same serial number as another cert?

Can I be sure that a certificate with the same serial number was created by the same person?

Vilican
  • 2,703
  • 8
  • 21
  • 35
reox
  • 1,012
  • 1
  • 8
  • 10

2 Answers2

94

In a certificate, the serial number is chosen by the CA which issued the certificate. It is just written in the certificate. The CA can choose the serial number in any way as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is supposed to choose unique serial numbers, that is, unique for the CA. You cannot count on a serial number being unique worldwide; in the dream world of X.509, it is the pair issuerDN+serial which is unique worldwide (each CA having its own unique distinguished name, and taking care not to reuse serial numbers).

The thumbprint is a hash value computed over the complete certificate, which includes all its fields, including the signature. That one is unique worldwide, for a given certificate, up to the inherent collision resistance of the used hash function. Microsoft software tends to use SHA-1, for which some theoretical weaknesses are known, but no actual collision has been produced (yet). A collision attack on SHA-1 has now been demonstrated by researchers from CWI and Google.

(The thumbprints you show appear to consist of 40 hexadecimal characters, i.e. 160 bits, which again points at SHA-1 as the plausibly used hash function.)

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Do you know is max length of thumbprint determined by any standard? Is 40 chars enough to allocate in database column? – Michael Freidgeim Jun 21 '13 at 22:38
  • 3
    @MichaelFreidgeim The maximum length depends on the hashing algorithm. Each hash has a different length output. Look at the Output Size in the table [here](http://en.wikipedia.org/wiki/Cryptographic_hash_function). Bear in mind that if you text-encode your hash output, you'll have to accommodate the encoding overhead in your database field. – tylerl Jun 22 '13 at 07:31
  • 1
    When you say the thumbprint includes the complete certificate, does that include the serial number too? Or just the public key portion? – Brain2000 Oct 24 '13 at 20:23
  • Complete means complete. The whole certificate, from the first to the last bit. This includes _everything_: public key, name, serial, extensions, signature... – Thomas Pornin Oct 25 '13 at 00:11
  • So when pinning a certificate it's better to store in the client and validate against the thumbprint hash or the full public key of the certificate? Or does it not matter? – cottsak Aug 02 '16 at 03:34
  • 1
    @cottsak Two certificates (with different thumbprints) can have the same public key. For example: the same key signed by two different (intermediate) CAs. – David Balažic Aug 04 '16 at 15:35
  • @DavidBalažic Which provides more security? – cottsak Aug 05 '16 at 08:09
  • 5
    Well, now there is SHA-1 collisions: [shattered.io](https://shattered.io/) (tip from [StackOverflow's @foo](http://stackoverflow.com/a/33015135/3136474)) – Dinei Mar 30 '17 at 17:14
  • As it currently stands... I cannot find this information anywhere. Does the SERIAL and THUMBPRINT have a FIXED SIZE ? And if yes, what is it ? Thanks – Mecanik Mar 19 '19 at 15:29
  • @Norbert Boros As mentioned above, the serial number must be 20 bytes or less while the thumbprint size depends on the hash algorithm used (see the table in tylerl's comment) – GLRoman Nov 09 '20 at 20:03
6

The thumbprint is the sha1sum or sha256sum of the certificate in its binary .DER format. That is, from a Unix terminal you run:

sha1sum /path/to/mycertificate.der

The hexademical output of that command is your thumbprint. It is also called the fingerprint. Try it, and you will see.

truthadjustr
  • 200
  • 1
  • 5