Forum Discussion
Thumbprint of the client ssl certificate
- Jun 19, 2023
Nandhi It is important to know if you would like to know these fingerprints for the GUI SSL cert of the Client SSL Profile because they are in different directories. Without knowing which the following are the two different paths assuming you are using the default partition on it as well. You can find those by logging into the CLI of the F5, then into the linux shell by typing "bash", and finally going to the following path and running the command below that.
*** Client SSL Profile directory ***
/config/filestore/files_d/Common_D/certificate_d/
*** F5 GUI SSL Cert directory ***
/config/httpd/conf/ssl.crt/*** Client SSL Profile ***
openssl x509 -noout -fingerprint -sha256 -inform -pem -in \:Common\:example.com
openssl x509 -noout -fingerprint -sha1 -inform -pem -in \:Common\:example.com
*** F5 GUI SSL ***
openssl x509 -noout -fingerprint -sha256 -inform -pem -in server.crt
openssl x509 -noout -fingerprint -sha1 -inform -pem -in server.crt
Thanks for the reply Paulius. Its for client ssl cert only. I wish to check both Sha1 and Sha256 thumbprint value of client ssl cert (Signed by cert authority) in Big-ip cli.
Thanks.
Nandhi It is important to know if you would like to know these fingerprints for the GUI SSL cert of the Client SSL Profile because they are in different directories. Without knowing which the following are the two different paths assuming you are using the default partition on it as well. You can find those by logging into the CLI of the F5, then into the linux shell by typing "bash", and finally going to the following path and running the command below that.
*** Client SSL Profile directory ***
/config/filestore/files_d/Common_D/certificate_d/
*** F5 GUI SSL Cert directory ***
/config/httpd/conf/ssl.crt/
*** Client SSL Profile ***
openssl x509 -noout -fingerprint -sha256 -inform -pem -in \:Common\:example.com
openssl x509 -noout -fingerprint -sha1 -inform -pem -in \:Common\:example.com
*** F5 GUI SSL ***
openssl x509 -noout -fingerprint -sha256 -inform -pem -in server.crt
openssl x509 -noout -fingerprint -sha1 -inform -pem -in server.crt
- NandhiJun 21, 2023Cirrus
Thanks Paulius.
After openup the directory and running the command for client ssl, getting below error.
-bad input format specified for Certificate
Unable to load certificate-.
I checked for GUI SSL cert too but same error. I am running with 14.1.5 series version.
Command:
/config/filestore/files_d/Common_D/certificate_d/
openssl x509 -noout -fingerprint -sha256 -inform -pem -in \:Common\:<cert_Name>
openssl x509 -noout -fingerprint -sha1 -inform -pem -in \:Common\:<cert_Name>Wondering is this firmware issue or anything I missed here.
- PauliusJun 21, 2023MVP
Nandhi The error that you're receiving seems more of an issue with the format of the file you are referencing rather than the command just not working. Would you mind running the following command so we can see what version of openssl that you have?
rpm -qa | grep openssl
- NandhiJun 21, 2023Cirrus
Thanks Paulius. Got the solution. The certificates are not in pem format. So I just removed -inform -pem then got the fingerprint of both sha1 and sha256.
The commands are :
openssl x509 -noout -fingerprint -sha256 -in :Common:<cert_Name>
openssl x509 -noout -fingerprint -sha1 -in :Common:<cert_Name>Thanks to get into this.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com