[singlewind]

In the CPS document it said this is SHA256 fingerprint. So I run the following command and the value doesn't match. I have asked AWS support. They said it is out of scope. Mostly like the support team doesn't know either.

openssl x509 -in AmazonRootCA1.pem -noout -fingerprint -sha256

[wahern]

The fingerprint is the "SHA-256 Hash of Subject Public Key Information", not the entire [unsigned] certificate. Basically, the DER encoding of the PKIX SubjectPublicKeyInfo structure. See https://tools.ietf.org/html/rfc5280#section-4.1.2.7 and https://tools.ietf.org/html/rfc3279#section-2.3.1 for RSA; for ECC keys see https://tools.ietf.org/html/rfc5480 and https://tools.ietf.org/html/rfc8410.

Calculating this is generally easy from a typical WebPKI library; less straight-forward from the command line:

  % openssl x509 -pubkey -noout < ./AmazonRootCA1.pem | grep -v '^-' | base64 -d | shasum -a256
 
 fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2  -

(Note: That matches the AWS hash.)

The hash of the public key is often used as a stable identifier for entities. Hashes of certificates will, of course, change w/ the validity dates and serial number.