How to get a certificate thumbprint using openssl
A helpful one-liner for grabbing cert info quickly.
💡
Author's note: this is an older article brought over by popular request. Some of the information may be a little dated.
I was troubleshooting a certificate issue earlier that required me to verify the thumbprint of a leaf cert. The challenge? I was working from console connection and couldn't copy/paste details from the session.
The solution? Run this one-liner:
openssl s_client -connect <host>:<destination> | openssl x509 -noout -fingerprint
So for example, if I want the fingerprint for https://www.google.com, I'd get something like this:
$ openssl s_client -connect www.google.com:443 | openssl x509 -noout -fingerprint
depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify return:1
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify return:1
SHA1 Fingerprint=E0:F4:BA:CB:92:BF:0C:C7:02:92:FA:B5:5A:84:F1:95:C1:F5:23:06
Note that it's a SHA1 fingerprint (which is usually pretty common). If I wanted the SHA256 fingerprint, I could use the -sha256 switch. So, continuing the example from above, it would look like:
$ openssl s_client -connect www.google.com:443 | openssl x509 -noout -fingerprint -sha256
depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify return:1
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify return:1
SHA256 Fingerprint=C5:C6:1A:50:8C:A3:68:5E:28:F9:56:70:F3:41:62:1D:1D:99:66:A4:07:16:EA:32:1E:74:72:88:C8:0F:6E:A9
