3

What's the difference between Digital certificate's signature and fingerprint (thumbprint) ?

I know that Signature: The actual signature to verify that it came from the issuer. and Thumbprint (fingerprint) : The hash itself, used as an abbreviated form of the public key certificate.

But what's exactly inside both of it ?

Both are hash value but with which parameter certificate authority create it?

Johan Gelp
  • 577
  • 3
  • 7
  • 10
  • 1
    Possible duplicate of: http://security.stackexchange.com/questions/14330/what-is-the-actual-value-of-a-certificate-fingerprint – paj28 Nov 29 '13 at 16:36
  • What about signature ? the link which you sent is only provide information about fingerprint. – Johan Gelp Nov 29 '13 at 16:43

2 Answers2

6

Here is the relevant quote from RFC 5280.

The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate. The ASN.1 DER encoded tbsCertificate is used as the input to the signature function. This signature value is encoded as a BIT STRING and included in the signature field. The details of this process are specified for each of the algorithms listed in [RFC3279], [RFC4055], and [RFC4491].

By generating this signature, a CA certifies the validity of the information in the tbsCertificate field. In particular, the CA certifies the binding between the public key material and the subject of the certificate.

Basically, the certificate signature is a CA signed value of the information encoded in the certificate including things like the subject, the issuer and the public key of the certificate. The process of validating the signatures is described in various RFCs as mentioned.

The certificate fingerprint is simply a sha1 and sha256 hash value computed on the entire certificate.

2

Practical sample

Getting one certificate for playing with

Using low level openssl commands:

mkdir /tmp/ssltests
cd $_

openssl s_client -connect www.google.com:443 -ign_eof \
    <<<$'HEAD / HTTP/1.0\r\n\r' 2>/dev/null |
  sed -ne '/^Server certificate/,${
    /-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/{
      //{/END/{p;q}};p}}' >www.google.com.crt

Maybe not the simpliest way, but between man openssl and man sed, I've made a choice...

So you could see what's a SSL cert:

cat www.google.com.crt 
-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIIRYUpUVjSfHQwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMC                        ...                            AVzv0
OtGjXuOdSfB4nURA7INNYvx8ULMECg5Sj8Gan8kIOfeW3jt9vdxsZrbn0Cu/bcTm
OEK3nH1sBk2Hy5ZBcyludHyUzqTHsXSjnIjwZNPpihVmFrs5I1Ma7iEj
-----END CERTIFICATE-----

sed '1d;$d' www.google.com.crt | tr -d \\n | wc -c
1528
echo $(( 1528 * 6 ))
9168
echo $(( 9168 / 8 ))
1146

There is a bunch of 9168 bits (or 1146 bytes), who contain a lot of details:

In certificate content

A x509 certificat hold a lot of informations like subject, issuer, valid dates, other signed certificates...

You could retrive specific information by:

openssl x509 -in www.google.com.crt -noout -subject
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

or

openssl x509 -in www.google.com.crt -noout -issuer 
issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2

or else:

openssl x509 -in www.google.com.crt -noout -text

will dump all details, including the public key, signature algorithms...

Fingerprints

They are like md5sum for validating a file: to verify (for sample: by phone), you could use one kind of fingerprint.

Fingerprints don't contain readable informations anymore! It's only checksum!!

openssl x509 -in www.google.com.crt -noout -fingerprint
SHA1 Fingerprint=03:30:78:7E:9B:7E:11:4E:66:2E:77:ED:AC:99:71:09:F8:E5:F0:6F

openssl x509 -in www.google.com.crt -noout -md5 -fingerprint
MD5 Fingerprint=5A:4C:B2:35:C4:F2:2E:3A:72:6A:49:F6:BC:EA:5B:20

openssl x509 -in www.google.com.crt -noout -sha256 -fingerprint
SHA256 Fingerprint=E8:55:E1:CC:31:97:F3:36:92:D7:C9:3E:46:B4:47:FB:21:CD:6C:7A:93:CB:B1:AE:58:CF:21:43:DF:24:FC:42

It's ligther to spell than the whole certificate.

In fact, this is really same than using md5sum on raw datas:

uudecode < <(
    sed '1s/^.*$/begin-base64 644 www.google.com.raw/;
         $s/^.*$/====/' www.google.com.crt
   )
ls -ltr
total 8
-rw-r--r-- 1 user user 1606 Nov 30 13:06 www.google.com.crt
-rw-r--r-- 1 user user 1146 Nov 30 16:30 www.google.com.raw

sha1sum www.google.com.raw 
0330787e9b7e114e662e77edac997109f8e5f06f  www.google.com.raw

md5sum www.google.com.raw 
5a4cb235c4f22e3a726a49f6bcea5b20  www.google.com.raw

There are same results.

Another try:

openssl s_client -connect security.stackexchange.com:443 -ign_eof \
    <<<$'HEAD / HTTP/1.0\r\n\r' 2>/dev/null |
  sed -ne '
    /^Server certificate/,${
       /-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/{
          //{/END/{p;q}};p}}' >security.stackexchange.com.crt

openssl x509 -in security.stackexchange.com.crt -noout -sha256 -fingerprint
SHA256 Fingerprint=73:D8:42:9A:38:78:4D:21:98:29:DD:58:8C:52:6F:23:18:6A:58:99:AD:69:3A:DA:97:98:49:D4:FB:5A:A0:09

openssl x509 -in security.stackexchange.com.crt |
    sed '1s/^.*$/begin-base64 644 -/;$s/^.*$/====/' |
    uudecode |
    sha256sum |
    sed 'y|abcdef|ABCDEF|;
        :a;
    s/^\(\([0-9A-F]\{2\}:\)*\)\([0-9A-F]\{2\}\)\([0-9A-F]\)/\1\3:\4/g;
         ta'
73:D8:42:9A:38:78:4D:21:98:29:DD:58:8C:52:6F:23:18:6A:58:99:AD:69:3A:DA:97:98:49:D4:FB:5A:A0:09  -

Fingerprints are only checksums.