Verify Fingerprint of x509 Certificate from SAML2 XML Metadata

SAML

We needed to determine the “fingerprint” of a x509 certificate which was present within SAML2 XML Metadata as part of an update of the metadata during a swap from using Shibboleth IdP as our IdP with using OpenAthens IdP instead.

  • The body of <X509Certificate> is the DER-encoded data of X509 certificate within the SAML2 XML Metadata.
  • We want to extract this certificate and obtain the SHA-256 fingerprint of it.

You’ll need to have your own source Metadata from which you want to extract the X509 certificate from, but to illustrate here is an example.

Step 1 – Get the X509 Certificate

We want to extract the X509Certificate string (highlighted) below, copy this really long string out.

Step 2 – Add the BEGIN and END Statements

Paste this really long string into a file, with the extension .crt (as its DER encoded), we’ll call our file x509cert.crt

Then add the BEGIN and END statements, these need to be exactly as shown, five hyphens before and after.

-----BEGIN CERTIFICATE-----
 
-----END CERTIFICATE-----

Don’t worry that its one massive line.

Step 3 – Fold the Certificate into 64 Character Blocks (Optional)

Although you don’t strictly need to do this for Step 4 and 5 to work, its nice to have a file formatted into a nice certificate block.

fold -w 64 x509cert.crt >x509cert.pem

Step 4 – Get the Information (Optional)

Run the following command to see the information about the certificate which includes things like the CN, expiry dates and so forth.

openssl x509 -in x509cert.pem -noout -text

Step 5 – Obtain the Fingerprint

To get the fingerprint for the certificate using the following command:

openssl x509 -noout -fingerprint -sha256 -inform pem -in x509cert.pem

And we’ll then get the SHA256 fingerprint for the certificate, something like the following:

sha256 Fingerprint=4A:7A:87:12:E6:CC:DD:28:B0:FF:5F:70:F9:9D:1E:0B:33:EB:D7:F8:59:AB:B3:95:91:EA:63:32:AB:5A:3F:35

Additional Information

Leave a Reply

Your email address will not be published. Required fields are marked *