How to obtain certificate SHA-1 fingerprint

[NuSkooler]

I've successfully generated a new certificate signed with my own CA. This cert is used as the client certificate when communicating with a HAProxy back end (SSL termination). From there, I forward the client cert SHA-1 fingerprint via a HTTP header using HA's ssl_c_sha1 capture.

What I'm having trouble with is calculating a matching fingerprint via forge at certificate generation time (that I can later use to validate with).

From HAProxy's documentation on ssl_c_sha1:

Returns the SHA-1 fingerprint of the certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. This can be used to stick a client to a server, or to pass this information to a server. Note that the output is binary, so if you want to pass that signature to the server, you need to encode it in hex or base64, such as in the example below:

http-request set-header X-SSL-Client-SHA1 %[ssl_c_sha1,hex]

Any ideas?

PS: Thanks for such a great node module!

[NuSkooler]

As luck would have it, after playing with this all of today and a bit yesterday I finally figured it out (though perhaps there is a better way):

const fingerprint = forge.md.sha1.create().update(forge.asn1.toDer(forge.pki.certificateToAsn1(cert)).getBytes()).digest().toHex();

[dlongley]

Looks like that's probably the right way to do it. I don't think we have a certificate fingerprinting helper function (we only have one for public keys), but I suspect it would do the same thing. Everyone likes to do these things a little differently as well -- so I'm not sure if we'll add it. I'll leave this open for now in case people have opinions on the matter.

[NuSkooler]

@dlongley Thanks for your response. I'm not too sure either about how prevalent this method of cert fingerprinting is. FWIW, it's at least used by HAProxy and I believe openssl x509 ... -fingerprint