As the current implementation of sha1_hexdigest implements a hash of the 'whole object for easy differentiation', this also means that all bytes of the contents are being used, effectively causing a different digest for the same certificate if the line endings are changed:
This discrepancy caused me quite a debugging adventure. As the effective contents of the certificates doesn't change when using different line endings, I wouldn't account those as part of the content to be hashed, if the hash is meant to be able to differentiate certificates. I would suggest to extract the actual encoded data (eg the flattened base64 string) from the message and hash only that part.
As the current implementation of
sha1_hexdigest
implements a hash of the 'whole object for easy differentiation', this also means that all bytes of the contents are being used, effectively causing a different digest for the same certificate if the line endings are changed:This discrepancy caused me quite a debugging adventure. As the effective contents of the certificates doesn't change when using different line endings, I wouldn't account those as part of the content to be hashed, if the hash is meant to be able to differentiate certificates. I would suggest to extract the actual encoded data (eg the flattened base64 string) from the message and hash only that part.