How to get a certificate thumbprint using openssl

A helpful one-liner for grabbing cert info quickly.

How to get a certificate thumbprint using openssl
Photo by Josh Appel / Unsplash
?
Author's note: this is an older article brought over by popular request. Some of the information may be a little dated.

I was troubleshooting a certificate issue earlier that required me to verify the thumbprint of a leaf cert. The challenge? I was working from console connection and couldn't copy/paste details from the session.

The solution? Run this one-liner:

openssl s_client -connect <host>:<destination> | openssl x509 -noout -fingerprint

So for example, if I want the fingerprint for https://www.google.com, I'd get something like this:

    $ openssl s_client -connect www.google.com:443 | openssl x509 -noout -fingerprint
    depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    verify return:1
    depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    verify return:1
    depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2
    verify return:1
    depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    verify return:1
    SHA1 Fingerprint=E0:F4:BA:CB:92:BF:0C:C7:02:92:FA:B5:5A:84:F1:95:C1:F5:23:06

Note that it's a SHA1 fingerprint (which is usually pretty common). If I wanted the SHA256 fingerprint, I could use the -sha256 switch. So, continuing the example from above, it would look like:

    $ openssl s_client -connect www.google.com:443 | openssl x509 -noout -fingerprint -sha256
    depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    verify return:1
    depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    verify return:1
    depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2
    verify return:1
    depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    verify return:1
    SHA256 Fingerprint=C5:C6:1A:50:8C:A3:68:5E:28:F9:56:70:F3:41:62:1D:1D:99:66:A4:07:16:EA:32:1E:74:72:88:C8:0F:6E:A9