Discuss this help topic in SecureBlackbox Forum

Search for certificates by fingerprint

Often there is a need to find a particular certificate in the list. As certificates themselves are complicated objects several hundred bytes long, their fingerprints are often used as keys to identify them. While fingerprints are not totally unique, they still can be quite useful when there is a need to identify a particular certificate in a user friendly way, or to keep a hash table of the certificates.

TElX509Certificate offers you different methods for obtaining a fingerprint:

• GetHashMD5() returns a 16-byte MD5 hash over the DER-encoded certificate.
• GetHashSHA1() returns a 20-byte SHA1 hash over the DER-encoded certificate.
• GetHashSHA256() returns a 256-bit hash over the DER-encoded certificate.
• GetCertificateHash() returns a hash over the DER-encoded certificate computed with the specified algorithm.
• GetKeyHashSHA1() returns a 20-byte SHA1 hash over the DER-encoded public key contained in the certificate. This function can be useful if you have several certificates sharing the same public key, e.g., reissued to extend their validity period.
• GetKeyHashSHA256() returns a 256-bit hash over the DER-encoded public key contained in the certificate.
• GetZIPCertIdentifier() returns a 20-byte SHA1 hash over full public key info. This value is used as a certificate identifier in ZIP archives.

First three method return structs (records) of TMessageDigest128 and TMessageDigest160 types. You can convert them to byte arrays with SBUtils.Unit.DigestToBinary128() and SBUtils.Unit.DigestToBinary160() methods (SBUtils.DigestToBinary() in VCL edition). The fourth method readily returns a byte array.

To show your digests in user-friendly form, use SBUtils.Unit.BinaryToString() and (optionally) SBUtils.Unit.BeautifyBinaryString() routines.

How To articles about certificate storages

Discuss this help topic in SecureBlackbox Forum