Skip to content
Latchkey

openssl x509 -fingerprint: Cert Fingerprints

openssl x509 -fingerprint computes a hash of the DER-encoded certificate for identification.

Fingerprints let you pin or compare certs without parsing every field. Pick SHA-256; SHA-1 is legacy.

What it does

openssl x509 -fingerprint hashes the entire DER encoding of the certificate and prints it as colon-separated hex. The hash covers the whole cert, so any change produces a different fingerprint.

Common usage

Terminal
openssl x509 -in cert.pem -noout -fingerprint -sha256
# strip the prefix and colons for comparison
openssl x509 -in cert.pem -noout -fingerprint -sha256 \
  | sed 's/.*=//; s/://g'

Options

FlagWhat it does
-fingerprintPrint the certificate fingerprint
-sha256Use SHA-256 (recommended)
-sha1Use SHA-1 (legacy, avoid)
-nooutSuppress the re-encoded certificate
-in <file>Input certificate

Common errors in CI

If the default fingerprint looks like SHA-1, that is expected: older OpenSSL defaults to SHA-1 when no digest is given, so always pass -sha256 explicitly. "unable to load certificate" means a DER file or a non-cert PEM; add -inform der or check the file. Mismatched pins almost always come from comparing a SHA-1 value against a SHA-256 one.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →