On Sun, Jun 14, 2015 at 02:28:31PM -0400, b...@bitrate.net wrote:
> In TLS_README it's instructed to use the following command to compute an
> sha-1 public key fingerprint:
>
> $ openssl x509 -in foo.example.com-cert.pem -noout -pubkey |
> openssl pkey -pubin -outform DER |
> openssl dgst -sha1 -c
> (stdin)= 7e:8b:82:2e:c8:9a:bc:f9:ae:1a:de:e6:9a:6c:b3:3b:b3:34:21:7a
>
> that didn't work for me,
Rather unfortunate that you don't explain how or why. Most likely you're
using a version of OpenSSL that is older than 1.0.0, and does not have the
"pkey" command. For RSA keys you can replace "openssl pkey" with "openssl rsa".
This computes a public key fingerprint.
> $ openssl x509 -noout -in foo.example.com-cert.pem -fingerprint
> SHA1 Fingerprint=A2:76:67:9B:B1:B8:4A:2F:DF:10:12:94:67:62:BE:47:6F:08:0F:12
>
> did work.
This computes the certificate fingerprint, not the public key
fingerprint.
> as seen, they both output valid digests, but the values differ.
As expected.
> I'm using postfix 2.11.3 and openssl 1.0.1f on ubuntu 15.04.
> I also experience this with postfix 2.11.0 and openssl 1.0.1f
> on ubuntu 14.04
What are these fingerprints for?
--
Viktor.
