數字證書中籤名和指紋的區別

簽名和指紋都是數字證書的標識，兩者有什麼區別呢?  國內沒有人解釋清楚了這個問題 

下面是老外給的答案:

簽名和指紋徹底是兩碼事。對於證書的強度拇指指紋是無關的，但簽名是相關的。

證書的簽名是頒發者經過簽名證書建立的東西。TLS堆棧(瀏覽器內部)使用此簽名來驗證信任鏈。這裏使用一個強大的算法很重要，這樣就沒有人能夠建立一個假證書，它看起來像是由受信任的頒發者(CA)簽名的。

 

指紋只是證書上的散列。主要用於人工接收，檢查證書是否爲預約證書，好比 打電話給 CA認證機構 並說出指紋進行覈對。  瀏覽器是經過簽名來驗證證書的有效性的，瀏覽器不會關注指紋。

或者一般用於自簽名證書，由於沒有可信的頒發者，因此瀏覽器不能本身驗證證書，因此用戶應該根據預期手動驗證證書。

 

 

signature and thumbprint are totally different things. For strength of the certificate thumbprint is irrelevant but signature is relevant.

The signature of a certificate is the thing the issuer creates by signing the certificate. This signature is used by the TLS stack (inside the browser) to validate the trust chain. It is important to use a strong algorithm here so that nobody can create a fake certificate which looks like it was signed by a trusted issuer (CA).

The thumbprint is just a hash over the certificate. It is mainly intended for human reception, i.e. check that the certificate is the intended one. This is usually used with self-signed certificates where the browser can not validate the certificate by itself since there is no trusted issuer and so the user should verify the certificate manually against the expected one.

A certificate has only a single signature since it has only a single issuer. But you often find multiple thumbprints for the certificate, i.e. one with MD5, one with SHA-1 and one with SHA-256. This is because the browser does not know which one you got for manual verification and that's why it offers you the most common versions.

What will be the identification of my certicate SHA1/SHA2?

The identification is the certificate itself, i.e. neither the signature not the thumbprint. But if you mean the "this certificate was signed with ...." part than this is SHA-256 in your case since what counts is the signature and not some thumbprint.

 

 

https://stackoverflow.com/questions/37041254/ssl-certificate-signature-algorithm-shows-sha256rsa-but-thumbprint-algorithm

https://www.thesslstore.com/blog/ssl-certificate-still-sha-1-thumbprint/

https://security.stackexchange.com/questions/71199/what-is-the-difference-between-a-thumbprint-algorithm-signature-algorithm-an#