I can see SHA-1 fingerprint/thumbprint on my certificate. Is my certificate actually SHA-2?

Once you have installed an SSL certificate on a web server or applied to a web service, you might have opened a certificate viewer or a similar tool to check if the certificate is all right, particularly if your certificate’s signature algorithm is SHA-2. You might have noticed such a thing as SHA-1 fingerprint.

In this article we will be looking at the certificate fingerprint and the certificate signature algorithm.

1. Terms checksum, hash sum, hash value, fingerprint, thumbprint are used to describe the digital output usually in a form of a hexadecimal string which is derived from a file by means of applying a hash function (algorithm) to it.

Example: 15:37:48:1E:DB:70:65:80:B2:74:E5:78:25:E5:AD:39:14:53:69:19 is the SHA-1 hash sum of ASN.1 binary (DER) form of the certificate used at www.instantssl.com.

sha1-sha-2-01

Taking fingerprint of a file presupposes putting the file through the hash sum calculation process, using a particular cryptographic hash algorithm. This is used to identify files, to facilitate certain data and security management tasks, to check data integrity against tampering or corruption. Two different files or files with a single slightest difference will produce a completely different fingerprint. Therefore, by checking and comparing certificate fingerprints webmasters and system administrators can make sure that the right file is in use.

2. Signature Algorithm field in an x509v3 SSL certificate (we provide exactly this kind of security certificates) indicates a cryptographic algorithm that is used by a Certificate Authority (CA) to sign a given certificate. By generating this signature, a CA certifies validity of the information in the certificate and the binding between the subject and the public key material in particular.

Here are the related details of the same certificate. Now we are looking at the certificate’s Signature Algorithm.

sha1-sha-2-02

This shows that SHA-256 hash function with RSA cryptographic algorithm was used as a Signature Algorithm by Comodo CA(now Sectigo CA) to certify the connection between the public key material and the subject: Comodo CA Ltd, Salford, Greater Manchester, GB; www.instantssl.com.

At the same time, SHA-1 fingerprint was taken from the certificate to identify a larger set of information stored in the certificate itself.

The fact that we can see a SHA-1 fingerprint of a certificate in, say Mozilla Certificate Viewer, does not necessarily mean that the same cryptographic function (SHA-1) is the Signature Algorithm that was used by a Certificate Authority to issue a certificate.

This leads us to the conclusion that certificate fingerprints (MD5, SHA-1 or SHA-256 and others) are used as certificate identifiers which do not correlate with the certificate signature algorithm. The signature algorithm is encoded in a certificate and designates a cryptographic function used by a Certificate Authority to sign and issue the given certificate.

Let us remind and assure you once again that for the end-entity certificate (the one containing hostname / domain name / service hostname you apply an SSL certificate to) Comodo Certificate Authority (now Sectigo CA) uses sha256WithRSAEncryption as a default signature algorithm starting April 2014.

In order to check whether the certificate installed on your site or service was signed using SHA-1 or SHA-2 hash function family (including SHA-256), try running a quick online test or other available methods described in the “How do I check my hashing algorithm?” article in our knowledgebase.

The SHA-1 based signature algorithm sunset initiative was brought forth by major CA/Browser Forum members and software companies: Google Inc, Mozilla Foundation, Microsoft Corporation. Read on for more info on the causes and SHA-1 deprecation schedule.

Updated
Viewed
45261 times

Need help? We're always here for you.

notmyip