I'm looking at a Windows PKI and see that the Thumbprint is SHA1, while the Signature is SHA2 (SHA256).
Is this an acceptable configuration?
Should I recommend that the client update to SHA2 for a Thumbprint?
Would this cause some backward compatibility issues?
I think that's a calculated value by the Windows GUI. And not actually inside the cert. Have a look at the cert itself using OpenSSL. (openssl x509 -in MYFILENAME.CER -noout -text)
Here's a blog that talks about this:
http://morgansimonsen.wordpress.com/2013/04/16/understanding-x-509-digital-certificate-thumbprints/
the thumbprint is a computed field, i.e. not a part of the certificate data itself.
