We needed to determine the “fingerprint” of a x509 certificate which was present within SAML2 XML Metadata as part of an update of the metadata during a swap from using Shibboleth IdP as our IdP with using OpenAthens IdP instead.
- The body of <X509Certificate> is the DER-encoded data of X509 certificate within the SAML2 XML Metadata.
- We want to extract this certificate and obtain the SHA-256 fingerprint of it.
You’ll need to have your own source Metadata from which you want to extract the X509 certificate from, but to illustrate here is an example.
Step 1 – Get the X509 Certificate
We want to extract the X509Certificate string (highlighted) below, copy this really long string out.

Step 2 – Add the BEGIN and END Statements
Paste this really long string into a file, with the extension .crt (as its DER encoded), we’ll call our file x509cert.crt
Then add the BEGIN and END statements, these need to be exactly as shown, five hyphens before and after.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Don’t worry that its one massive line.
Step 3 – Fold the Certificate into 64 Character Blocks (Optional)
Although you don’t strictly need to do this for Step 4 and 5 to work, its nice to have a file formatted into a nice certificate block.
fold -w 64 x509cert.crt >x509cert.pem
Step 4 – Get the Information (Optional)
Run the following command to see the information about the certificate which includes things like the CN, expiry dates and so forth.
openssl x509 -in x509cert.pem -noout -text
Step 5 – Obtain the Fingerprint
To get the fingerprint for the certificate using the following command:
openssl x509 -noout -fingerprint -sha256 -inform pem -in x509cert.pem
And we’ll then get the SHA256 fingerprint for the certificate, something like the following:
sha256 Fingerprint=4A:7A:87:12:E6:CC:DD:28:B0:FF:5F:70:F9:9D:1E:0B:33:EB:D7:F8:59:AB:B3:95:91:EA:63:32:AB:5A:3F:35
Additional Information
- https://megamorf.gitlab.io/cheat-sheets/openssl/
- https://community.rsa.com/s/article/How-to-view-a-certificate-fingerprint-as-SHA-256-SHA-1-or-MD5-using-OpenSSL-for-RSA-Authentication-Manager
- https://serverfault.com/questions/391396/how-to-split-a-pem-file
- https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0109904