|
|
|
|
|
|
by wahern
1875 days ago
|
|
|
The fingerprint is the "SHA-256 Hash of Subject Public Key Information", not the entire [unsigned] certificate. Basically, the DER encoding of the PKIX SubjectPublicKeyInfo structure. See https://tools.ietf.org/html/rfc5280#section-4.1.2.7 and https://tools.ietf.org/html/rfc3279#section-2.3.1 for RSA; for ECC keys see https://tools.ietf.org/html/rfc5480 and https://tools.ietf.org/html/rfc8410. Calculating this is generally easy from a typical WebPKI library; less straight-forward from the command line: % openssl x509 -pubkey -noout < ./AmazonRootCA1.pem | grep -v '^-' | base64 -d | shasum -a256
fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2 -
(Note: That matches the AWS hash.)The hash of the public key is often used as a stable identifier for entities. Hashes of certificates will, of course, change w/ the validity dates and serial number. |
|
|