Hello, for certificates which get renewed -- mine do twice a year, for example -- the fingerprint changes
?0[tmp]$ openssl x509 -fingerprint -noout < cert.old SHA1 Fingerprint=00:10:F0:2C:EA:50:1F:11:FE:8D:CC:A0:A9:40:91:A2:D0:4D:65:4E ?0[tmp]$ openssl x509 -fingerprint -noout < cert.crt SHA1 Fingerprint=77:E3:10:F0:3B:D9:1E:1F:29:B0:83:74:50:29:67:E4:04:B2:53:B1 Of course if you have the CA's certificate you can verify the validity of the above, but if i change the CA you need to get that one etc. I may also change to a self-signed CA. Imagine i need to renew my certificate, switch the CA and use sk_X509_push() to include the new root certificate that signed my updated certificate with my .p7s. The receiver will (possibly) get a verification failure, but if there would be an easy possibility to verify the fingerprint of the public key he or she would be able to verify that only the certificate changed, not the key: ?0[tmp]$ openssl x509 -pubkey -noout < cert.old| > openssl rsa -pubin -outform der| > openssl sha1 writing RSA key (stdin)= 0e349338a3baf9f1edf176dd02151939a31ebb79 ?0[tmp]$ openssl x509 -pubkey -noout < cert.crt| > openssl rsa -pubin -outform der| > openssl sha1 writing RSA key (stdin)= 0e349338a3baf9f1edf176dd02151939a31ebb79 In the end the key is an authority by itself, no? --steffen _______________________________________________ openssl-bugs-mod mailing list [email protected] https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
