Field Reference

Certificate Fingerprint Explained

A certificate fingerprint is a hash of the certificate's DER-encoded bytes. Learn what fingerprints are, how they're computed, and how to use them to verify a certificate.

A certificate fingerprint is a cryptographic hash of the certificate's DER-encoded bytes. It uniquely identifies a specific certificate — even a small change to any field in the certificate produces a completely different fingerprint. Fingerprints are used to verify that you're looking at the exact certificate you expect.

How Fingerprints Are Computed

To compute a fingerprint:

  1. Convert the certificate from PEM to DER format (strip the base64 headers and decode to binary)
  2. Run the binary through a hash function (SHA-256 or SHA-1)
  3. Format the resulting hex string as colon-separated byte pairs (e.g., AB:CD:EF:...)

The decoder above does this automatically and displays both the SHA-256 and SHA-1 fingerprints.

SHA-256 vs. SHA-1 Fingerprints

Both hash functions produce a fingerprint of the certificate bytes:

  • SHA-256: 64 hex characters (256 bits). The current standard. Use this for all new verification purposes.
  • SHA-1: 40 hex characters (160 bits). Deprecated for cryptographic use. SHA-1 fingerprints still appear in many tools and documentation, but SHA-256 fingerprints should be preferred going forward.

What Fingerprints Are Used For

  • Certificate pinning: Applications can hardcode the expected certificate fingerprint and reject connections if it doesn't match
  • Out-of-band verification: When setting up a server, you can verify the certificate fingerprint matches what you deployed by checking it independently (e.g., comparing the fingerprint shown in a browser against one you computed from the cert file)
  • Audit trails: Security teams log fingerprints to track which exact certificate was in use at a given time
  • CAA/CT monitoring: Certificate Transparency logs can be searched by fingerprint

Fingerprint vs. Signature

A fingerprint is a hash of the entire certificate (including the CA's signature). The certificate's signature is what the CA computed to attest to the certificate's contents. These are different things: the fingerprint lets you uniquely identify the certificate; the signature lets you verify the CA endorsed it. Fingerprints are computed from the certificate's DER binary encoding, not the PEM text. See also: certificate serial numbers, which serve a similar identification role within a single CA's scope.

Ready to inspect a certificate?

Use the free decoder to decode any PEM certificate and see all fields including certificate fingerprint explained.

Decode a Certificate