openssl x509 -fingerprint: Cert Fingerprints
openssl x509 -fingerprint computes a hash of the DER-encoded certificate for identification.
Fingerprints let you pin or compare certs without parsing every field. Pick SHA-256; SHA-1 is legacy.
What it does
openssl x509 -fingerprint hashes the entire DER encoding of the certificate and prints it as colon-separated hex. The hash covers the whole cert, so any change produces a different fingerprint.
Common usage
openssl x509 -in cert.pem -noout -fingerprint -sha256
# strip the prefix and colons for comparison
openssl x509 -in cert.pem -noout -fingerprint -sha256 \
| sed 's/.*=//; s/://g'Options
| Flag | What it does |
|---|---|
| -fingerprint | Print the certificate fingerprint |
| -sha256 | Use SHA-256 (recommended) |
| -sha1 | Use SHA-1 (legacy, avoid) |
| -noout | Suppress the re-encoded certificate |
| -in <file> | Input certificate |
Common errors in CI
If the default fingerprint looks like SHA-1, that is expected: older OpenSSL defaults to SHA-1 when no digest is given, so always pass -sha256 explicitly. "unable to load certificate" means a DER file or a non-cert PEM; add -inform der or check the file. Mismatched pins almost always come from comparing a SHA-1 value against a SHA-256 one.