Ask HN: How the hash value get calculated from AWS CA?
1 point by singlewind 4 years ago | 2 comments- singlewind 4 years agoIn the CPS document it said this is SHA256 fingerprint. So I run the following command and the value doesn't match. I have asked AWS support. They said it is out of scope. Mostly like the support team doesn't know either.
openssl x509 -in AmazonRootCA1.pem -noout -fingerprint -sha256
- wahern 4 years agoThe fingerprint is the "SHA-256 Hash of Subject Public Key Information", not the entire [unsigned] certificate. Basically, the DER encoding of the PKIX SubjectPublicKeyInfo structure. See https://tools.ietf.org/html/rfc5280#section-4.1.2.7 and https://tools.ietf.org/html/rfc3279#section-2.3.1 for RSA; for ECC keys see https://tools.ietf.org/html/rfc5480 and https://tools.ietf.org/html/rfc8410.
Calculating this is generally easy from a typical WebPKI library; less straight-forward from the command line:
(Note: That matches the AWS hash.)% openssl x509 -pubkey -noout < ./AmazonRootCA1.pem | grep -v '^-' | base64 -d | shasum -a256 fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2 -The hash of the public key is often used as a stable identifier for entities. Hashes of certificates will, of course, change w/ the validity dates and serial number.
- wahern 4 years ago