> On Jun 14, 2015, at 18.21, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > On Sun, Jun 14, 2015 at 02:28:31PM -0400, b...@bitrate.net wrote: > >> In TLS_README it's instructed to use the following command to compute an >> sha-1 public key fingerprint: >> >> $ openssl x509 -in foo.example.com-cert.pem -noout -pubkey | >> openssl pkey -pubin -outform DER | >> openssl dgst -sha1 -c >> (stdin)= 7e:8b:82:2e:c8:9a:bc:f9:ae:1a:de:e6:9a:6c:b3:3b:b3:34:21:7a >> >> that didn't work for me, > > Rather unfortunate that you don't explain how or why. Most likely you're > using a version of OpenSSL that is older than 1.0.0, and does not have the > "pkey" command. For RSA keys you can replace "openssl pkey" with "openssl > rsa". > > This computes a public key fingerprint. > >> $ openssl x509 -noout -in foo.example.com-cert.pem -fingerprint >> SHA1 Fingerprint=A2:76:67:9B:B1:B8:4A:2F:DF:10:12:94:67:62:BE:47:6F:08:0F:12 >> >> did work. > > This computes the certificate fingerprint, not the public key > fingerprint. > >> as seen, they both output valid digests, but the values differ. > > As expected.
that explains my ignorance. certificate fingerprint versus public key fingerprint. i'm using check_ccert_access, and testing again, it does in fact work, as documented, with either certificate or public key fingerprint. what i was doing to convince myself it wasn't working initially, i'm now not sure of. on a related note, is it possible for a public key fingerprint to collide with the certificate fingerprint of some other cert? -ben