Score:0

SSL fingerprint does not match

br flag

I checked the fingerprint for my Postfix SSL/TLS certificate like this:

openssl x509 -in public.cer -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -c

But when I obtain the fingerprint for the mailserver from my local machine

openssl s_client -connect my.mail.server:587 -starttls smtp < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | cut -d'=' -f2

I get a different fingerprint. How can that be?

Thanks, Jan

dave_thompson_085 avatar
jp flag
You are computing a hash of the publickey, which is not the fingerprint of the certificate. **A certificate fingerprint is the hash of the _whole certificate_ (as DER)**, not of the publickey. Also, you don't need `-in /dev/stdin`; if you omit `-in` it defaults to stdin.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.