Certificate verification

The UK federation routinely perform certificate verification as part of the process of Registration and in the maintenance of existing entities.

In the case of new entities the certificate verification is performed with the Management Contact, in this case of existing entities this may also be performed by the Administrative Contact.

Following the Shattered announcement the UK federation team are now using SHA-256 for certificate verification. Historically, the cryptographic hash function SHA-1 has been used to provide a fingerprint, this page describes how you can check the SHA-256 fingerprint of your public key certificates.

It's important to note that the certificate fingerprint, does not reflect on the actual cryptographic method used in the certificate itself.

Java Keytool

If you are using the Shibboleth IdP under any platform, then you should have the Java Keytool application installed. Using the following command, will give you a number of certificate fingerprints (SHA-256, SHA-1 and MD5).

 keytool --printcert -file filename.crt

OpenSSL

If you are using a Linux or Unix platform, or the Shibboleth SP on any platform then you will likely have the OpenSSL application installed. Using the following command, will give you a SHA-256 fingerprint.

 openssl x509 -noout -fingerprint -sha256 -in filename.crt

Other software

  • Existing users of the Microsoft Windows may have used the the built-in certificate properties window to perform verification using SHA-1 fingerprint. Unfortunately, this properties window only provides a SHA-1 fingerprint, therefore we would urge you to use one of the tools above.
  • Our understanding of other SAML software, is that they will either have OpenSSL or Java Keytool available, either within the OS or directly as a dependancy in the implementation. If you have any further information on performing certificate verification with other software, please email the Federation Helpdesk.