PKI utility

Certificate Fingerprint Generator

Compute the SHA-1, SHA-256, SHA-384, and SHA-512 fingerprint (a.k.a. thumbprint) of an X.509 certificate’s DER-encoded bytes. Uses the browser’s built-in Web Crypto. Useful for matching a cert against pinned fingerprints, AAGUIDs, or audit lists.

Client-sideWeb CryptoNo upload

Input

Choose file

PEM-armoured certificate (or hex / base64).

Result

Paste, drop, or pick a file.

All hashing runs in your browser via the Web Crypto API.

About cert fingerprints

A "fingerprint" or "thumbprint" of an X.509 certificate is the hash of its DER-encoded bytes. SHA-256 is the modern default; SHA-1 is shown for compatibility with older systems but should not be used for new pinning. Always verify which algorithm a remote system expects.

Algorithms

SHA-1 (deprecated for security), SHA-256, SHA-384, SHA-512 — all from Web Crypto.

Companion tool

Inspect what is actually inside the certificate.

X.509 viewer →

Use case

Pinning AAGUIDs in FIDO MDS allow-lists.

Implementing FIDO2 →