Checking certificate fingerprints
There are two instances when the PKI administrator checks certificate fingerprints (the
SHA1, MD5, SHA256, and SHA512 hashes) in support of certificate request
processing for SCEP clients.
- Preregistered SCEP clients who request certificates from this
CA domain must download the correct PKI Services CA certificate to
their workstations before they issue their certificate requests. After
the download, the client can use the SCEP client software to display
the fingerprints of the downloaded CA certificate and then confirm
with the PKI administrator of the CA domain that it is the correct
CA certificate. To match CA certificate fingerprints with a SCEP client, the PKI administrator can display the fingerprints of the CA certificate for this domain by issuing the following MODIFY (or F) console command:
The result of this command is information message IKYP025I. Sample output:F PKISERVD,DISPLAY
10.37.39 STC00146: IKYP025I PKI SERVICES SETTINGS: CA DOMAIN NAME: Customers SUBCOMPONENT MESSAGE LEVEL LDAP ERROR MESSAGES AND HIGHER SAF WARNING MESSAGES AND HIGHER DB INFORMATIONAL MESSAGES AND HIGHER CORE WARNING MESSAGES AND HIGHER PKID VERBOSE DIAGNOSTIC MESSAGES AND HIGHER POLICY WARNING MESSAGES AND HIGHER TPOLICY WARNING MESSAGES AND HIGHER MESSAGE LOGGING SETTING: STDOUT_LOGGING CONFIGURATION FILE IN USE: /etc/pkiserv/pkiserv.conf TEMPLATE FILE IN USE: /etc/pkiserv/pkiserv.tmpl CA CERTIFICATE FINGERPRINTS: SHA1: BB:B5:AF:38:BA:3B:33:61:46:F5:FE:AD:20:33:10:98:C2:D7:9A:BC MD5: C6:E6:B2:F3:39:F0:7C:B5:A6:B6:F0:36:5F:2F:7D:C8 SHA256: FC:F6:DE:AF:CF:48:15:90:0E:91:9B:8F:5C:93:9B:FF: 1D:2D:FC:B1:10:33:2C:CB:B5:02:F4:8E:5E:41:FA:F8 SHA512: 14:DD:45:4C:78:66:47:0D:7B:BB:BE:56:33:F0:18:52: F4:AD:0C:96:B9:78:5B:40:FF:AE:D5:EB:62:87:A6:22: 48:45:37:D6:4B:3A:DD:5C:F0:7D:6F:A5:D8:6F:6E:36: E5:8C:77:D2:B5:BC:3E:14:E2:34:F8:A1:11:31:2B:E3
- When the PKI administrator receives a certificate request from
a preregistered SCEP client, the PKI administrator can confirm the
integrity of the certificate request by viewing its fingerprints on
the "Single Request" web page. (See Figure 1 for a sample.)
To ensure the integrity of the certificate request, the PKI administrator can contact the SCEP requestor to match the fingerprints in the received certificate request with the fingerprints in the original certificate request. (The certificate requestor can use the SCEP client software to view the fingerprints that are saved for the original request.)