How Certificate Fingerprints Work and Why They Matter

Every SSL certificate has a unique fingerprint — a compact hash that unambiguously identifies it. Fingerprints are the quick answer to the question: "Is this the same certificate I saw yesterday?"

What Is a Fingerprint?

A certificate fingerprint is computed by hashing the certificate's raw DER-encoded bytes (not the PEM text) using a cryptographic hash function. The result is a fixed-length hex string:

• SHA-256 fingerprint: 64 hex characters (32 bytes). The standard today.
• SHA-1 fingerprint: 40 hex characters (20 bytes). Still displayed for legacy compatibility but SHA-1 is no longer considered collision-resistant.

How to Compute One

With OpenSSL on the command line:

openssl x509 -in cert.pem -fingerprint -sha256 -noout

The output is the same value you'll see in our SSL Certificate Decoder — formatted as colon-separated uppercase hex pairs (e.g. AB:CD:EF:...).

What Fingerprints Are Used For

Verification

When a CA sends you a newly-issued certificate, compare its SHA-256 fingerprint against what was agreed in your order. A mismatch means something went wrong.

Certificate Pinning

Some applications "pin" a certificate or public key by storing its fingerprint and refusing connections that don't match. This prevents even a trusted CA from issuing a fraudulent certificate for your domain. See what happens when pinning fails.

Revocation Tracking

CAs and monitoring tools use fingerprints to track certificate lifecycle events — issuance, renewal, and revocation. The serial number serves a similar purpose within a single CA's records.

Certificate Transparency Logs

Every certificate fingerprint is logged in public Certificate Transparency logs. You can search these logs to discover all certificates ever issued for a domain.

Fingerprint vs Serial Number

A serial number is unique within a single CA's namespace. A fingerprint is globally unique. If you need to identify a certificate unambiguously across CAs, use the SHA-256 fingerprint.