SSL fingerprint does not match

janeden

6/5/23, 1:32 AM

I checked the fingerprint for my Postfix SSL/TLS certificate like this:

openssl x509 -in public.cer -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -c

But when I obtain the fingerprint for the mailserver from my local machine

openssl s_client -connect my.mail.server:587 -starttls smtp < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | cut -d'=' -f2

I get a different fingerprint. How can that be?

Thanks, Jan

0 + 0

ssl

postfix

dave_thompson_085

6/5/23, 5:28 AM

You are computing a hash of the publickey, which is not the fingerprint of the certificate. **A certificate fingerprint is the hash of the _whole certificate_ (as DER)**, not of the publickey. Also, you don't need `-in /dev/stdin`; if you omit `-in` it defaults to stdin.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SSL fingerprint does not match

TH: ลายนิ้วมือ SSL ไม่ตรงกัน

RO: Amprenta SSL nu se potrivește

RU: Отпечаток SSL не совпадает

VI: Dấu vân tay SSL không khớp

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.