The UK federation routinely perform certificate verification as part of the process of Registration and in the maintenance of existing entities.
Following the Shattered announcement the UK federation team are now using SHA-256 for certificate verification. Historically, the cryptographic hash function SHA-1 has been used to provide a fingerprint, this page describes how you can check the SHA-256 fingerprint of your public key certificates.
It's important to note that the certificate fingerprint, does not reflect on the actual cryptographic method used in the certificate itself.
If you are using the Shibboleth IdP under any platform, then you should have the Java Keytool application installed. Using the following command, will give you a number of certificate fingerprints (SHA-256, SHA-1 and MD5).
keytool --printcert -file filename.crt
If you are using a Linux or Unix platform, or the Shibboleth SP on any platform then you will likely have the OpenSSL application installed. Using the following command, will give you a SHA-256 fingerprint.
openssl x509 -noout -fingerprint -sha256 -in filename.crt
- Existing users of the Microsoft Windows may have used the the built-in certificate properties window to perform verification using SHA-1 fingerprint. Unfortunately, this properties window only provides a SHA-1 fingerprint, therefore we would urge you to use one of the tools above.
- Our understanding of other SAML software, is that they will either have OpenSSL or Java Keytool available, either within the OS or directly as a dependancy in the implementation. If you have any further information on performing certificate verification with other software, please email the Federation Helpdesk.