Computing an X509 Certificate's Thumbprint in Java
Computing an X509 Certificate’s Thumbprint in Java
If you’re working with X.509 certificates, you may find yourself needing to compute a thumbprint of one of these certificates. A thumbprint is simply a unique, non-reversible identifier for a digital certificate. It’s a convenient way to quickly identify a specific certificate without having to compare the actual contents of the certificate. Fortunately, Java provides an easy way to do this via its java.security.cert.CertificateFactory and java.security.MessageDigest classes.
Step 1: Create a CertificateFactory object
The first step is to create an instance of CertificateFactory. This class provides factory methods for constructing certificate objects from their encodings. The most common encoding for X.509 certificates is DER, so we will use that here:
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Step 2: Generate the Certificate
Next, we need to generate the certificate object from its encoded form. We can do this by using the generateCertificate(InputStream is) method of the CertificateFactory class. The is parameter should be an InputStream of the certificate file as a byte array:
InputStream is = new ByteArrayInputStream(certificateBytes);
X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
Step 3: Compute the Thumbprint
Finally, we can now compute the thumbprint of the certificate. This is done by using the getEncoded() method of the X509Certificate class to get the certificate as a byte array. We then pass this array to the MessageDigest.getInstance("SHA-1") method to create a new MessageDigest object. Finally, we call the digest(byte[]) method with the certificate data to compute the thumbprint:
MessageDigest digest = MessageDigest.getInstance("SHA-1");
byte[] thumbprint = digest.digest(cert.getEncoded());
Conclusion
With just a few steps, we’ve managed to compute the thumbprint of an X.509 certificate in Java. While this example used SHA-1 as the hashing algorithm, other algorithms such as MD5 and SHA-2 are also available. As always, be sure to use the strongest algorithm available when computing cryptographic hashes.