-fingerprint is the hash of the whole cert. The question was hash of issuer name.
If youre satisfied with hash of the issuer name >as encoded<, which should not but can differ from the canonicalized form OpenSSL uses for lookup, you can: - use asn1parse to find the byte position of the issuer DN - use asn1parse strparse to extract issuer in DER to a separate file or more clumsily use something general like dd or perl to extract issuer in DER - hash that file From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Thursday, September 11, 2014 06:25 To: openssl-users@openssl.org Subject: Re: issuer_hash On 11/09/2014 09:40, Steven Madwin wrote: cid:image001.gif@01CFCE32.F3F4B120 I see that the x509 command used with the issuer_hash option returns a four byte digest value. Is there any method using OpenSSL to procure the 20-byte SHA-1 digest value of the issuer name? use -fingerprint (-subject_hash and -issuer_hash are used to look up CAs in a disk-based database, as used by the -CAdir option to various other OpenSSL commands. Basically, each CA is listed under its own -subject_hash, and calling -issuer_hash on a certificate then tells where to look for the CA certificate). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded