Forum Discussion

Nandhi's avatar
Nandhi
Icon for Cirrus rankCirrus
Jun 16, 2023

Thumbprint of the client ssl certificate

Hello Everyone, is there any bash or tmsh command to get thumbprint value of the big-ip client ssl certificate? Thanks
application delivery
  • Paulius's avatar
    Paulius
    Jun 19, 2023

    Nandhi It is important to know if you would like to know these fingerprints for the GUI SSL cert of the Client SSL Profile because they are in different directories. Without knowing which the following are the two different paths assuming you are using the default partition on it as well. You can find those by logging into the CLI of the F5, then into the linux shell by typing "bash", and finally going to the following path and running the command below that.

    *** Client SSL Profile directory ***
    /config/filestore/files_d/Common_D/certificate_d/
    *** F5 GUI SSL Cert directory ***
    /config/httpd/conf/ssl.crt/

    *** Client SSL Profile ***
    openssl x509 -noout -fingerprint -sha256 -inform -pem -in \:Common\:example.com
    openssl x509 -noout -fingerprint -sha1 -inform -pem -in \:Common\:example.com
    *** F5 GUI SSL ***
    openssl x509 -noout -fingerprint -sha256 -inform -pem -in server.crt
    openssl x509 -noout -fingerprint -sha1 -inform -pem -in server.crt

Paulius's avatar
Paulius
Icon for MVP rankMVP

Nandhi It is important to know if you would like to know these fingerprints for the GUI SSL cert of the Client SSL Profile because they are in different directories. Without knowing which the following are the two different paths assuming you are using the default partition on it as well. You can find those by logging into the CLI of the F5, then into the linux shell by typing "bash", and finally going to the following path and running the command below that.

*** Client SSL Profile directory ***
/config/filestore/files_d/Common_D/certificate_d/
*** F5 GUI SSL Cert directory ***
/config/httpd/conf/ssl.crt/

*** Client SSL Profile ***
openssl x509 -noout -fingerprint -sha256 -inform -pem -in \:Common\:example.com
openssl x509 -noout -fingerprint -sha1 -inform -pem -in \:Common\:example.com
*** F5 GUI SSL ***
openssl x509 -noout -fingerprint -sha256 -inform -pem -in server.crt
openssl x509 -noout -fingerprint -sha1 -inform -pem -in server.crt

Nandhi's avatar
Nandhi
Icon for Cirrus rankCirrus
Jun 21, 2023

Thanks  Paulius. 

After openup the directory and running the command for client ssl, getting below error.

-bad input format specified for Certificate

Unable to load certificate-.

I checked for GUI SSL cert too but same error. I am running with 14.1.5 series version.

Command:

/config/filestore/files_d/Common_D/certificate_d/

openssl x509 -noout -fingerprint -sha256 -inform -pem -in \:Common\:<cert_Name>
openssl x509 -noout -fingerprint -sha1 -inform -pem -in \:Common\:<cert_Name>

Wondering is this firmware issue or anything I missed here.

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Jun 21, 2023

    Nandhi The error that you're receiving seems more of an issue with the format of the file you are referencing rather than the command just not working. Would you mind running the following command so we can see what version of openssl that you have?

    rpm -qa | grep openssl

    • Nandhi's avatar
      Nandhi
      Icon for Cirrus rankCirrus
      Jun 21, 2023

      Thanks Paulius. Got the solution. The certificates are not in pem format. So I just removed -inform -pem then got the fingerprint of both sha1 and sha256.

      The commands are :

      openssl x509 -noout -fingerprint -sha256 -in :Common:<cert_Name>
      openssl x509 -noout -fingerprint -sha1 -in :Common:<cert_Name>

      Thanks to get into this.