4

Most of signed certificate footprints are 20 byte long (field "footprint" in Windows certificate manager).

How can this be a value signed by an issuance (certification) authority? Concretly, the signature of the certificate should be the hashed value of the certificate fields signed by a private key and thus have at least the RSA modulus length (in the case of a RSA signature) of the issuer private key and thus... be at least 512 bits (64 byte) long.

There is something I must be missing... If this footprint is only a hash, then it cannot be a signed certificate. Where is the certificate signature in fact ? it is not possible to check that the certificate is valid from a simple Hash.

Regards, Apple92

user255607
  • 1,829
  • 5
  • 25
  • 28

2 Answers2

9

Do you mean "fingerprint"? A fingerprint is only a hash and is only used as a convenience to lookup a certificate for comparison purposes. It is not part of the certificate proper, it is generated from the certificate by the certificate manager. The certificate signature is inside the certificate.

The certificate itself is composed of the identifying information and public key in a structure called a TBSCertificate (TBS is short for To Be Signed), plus the signature algorithm and the signature itself. See RFC5280 for all the gory details.

Community
  • 1
  • 1
President James K. Polk
  • 40,516
  • 21
  • 95
  • 125
4

Fingerprint, which you can see via the Certificate Manager in Windows, is not a part of the certificate. It is dynamically generated by the Certificate Manager in favor of the convenience of identifying many certificates it manages.

A certificate consists of three parts. (Details are in https://www.rfc-editor.org/rfc/rfc5280#section-4.1)

  • tbsCertificate: This contains the names of the subject and issuer, a public key associated with the subject, a validity period, etc. This tbsCertificate(a.k.a certificate to be signed) is what an issuer(CA) reviews and signs for.
  • signatureAlgorithm: The identifier for the cryptographic algorithm used by the issuer(CA) to sign the tbsCertificate above. Algorithm varies. One of the most common algorithms is to hash the tbsCertificate (of DER format) to produce a digest, which is then encoded by the issuer(CA)'s private key. The result is stored in the next field, signatureValue.
  • signatureValue: This field is populated with the resulting value that is produced by the issuer(CA) using the signatureAlgorithm above.

The behavior of composing a certificate structure above by an issuer(CA) is called signing.

Community
  • 1
  • 1
z3moon
  • 131
  • 6