18

I recently learned mechanism of certificates. But I can't understand why a "thumbprint" is included in a certificate.

For intermediate and end-user certificates, it is verified by its issuer. so it can simply be calculated as the certificate itself is trusted.

For root/self-signed certificates, they're not trusted unless it is provided with the OS. So the thumbprint included is also not trusted.

I think that I just misunderstood something, can anyone point it out?

DDoSolitary
  • 385
  • 1
  • 2
  • 9
  • Related answers discussing why thumbprints are used: http://security.stackexchange.com/questions/35691/what-is-the-difference-between-serial-number-and-thumbprint and http://security.stackexchange.com/questions/116343/what-is-the-difference-between-a-certificate-a-signature-and-a-thumbprint-in-ca – Jedi Jul 16 '16 at 04:44
  • @Stalker, Can you tell what are thumbprints and how they are related with certificates? Or you can send a decent link to read. – one Jul 16 '16 at 18:18
  • 1
    @one: A thumbprint is actually the hash value of the corresponding certificate in DER format. As far as I know, thumbprints are used to locate certificates easily. When a program is requesting a certificate, instead of using its subject name or something else, it can just provide its thumbprint. I used to think they are stored in the certificates because I can see the thumbprint when opening a certificate in Windows. But now I've understood that they are calculated when they're needed.(Might be cached? I don't know.) – DDoSolitary Jul 17 '16 at 00:08

1 Answers1

28

There is no thumbprint included in the certificate. What is included is a signature which is used to build the trust chain.

The thumbprint (or fingerprint) is just a hash over the certificate to make it easier for humans to compare certificates. It is not included but computed when needed.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 1
    So the "Thumbprint" field in the Windows certificate information dialog is simply calculated when the dialog is opened? – DDoSolitary Jul 16 '16 at 06:02
  • 6
    @Stalker: yes. And it will often show you even several thumbprints, i.e. SHA-1, SHA-256 etc - all freshly calculated. – Steffen Ullrich Jul 16 '16 at 07:13