Checking certificate fingerprints

There are two instances when the PKI administrator checks certificate fingerprints (the SHA1, MD5, SHA256, and SHA512 hashes) in support of certificate request processing for SCEP clients.
  • Preregistered SCEP clients who request certificates from this CA domain must download the correct PKI Services CA certificate to their workstations before they issue their certificate requests. After the download, the client can use the SCEP client software to display the fingerprints of the downloaded CA certificate and then confirm with the PKI administrator of the CA domain that it is the correct CA certificate.
    To match CA certificate fingerprints with a SCEP client, the PKI administrator can display the fingerprints of the CA certificate for this domain by issuing the following MODIFY (or F) console command:
    F PKISERVD,DISPLAY
    The result of this command is information message IKYP025I. Sample output:
    10.37.39 STC00146: IKYP025I PKI SERVICES SETTINGS:
  CA DOMAIN NAME: Customers
  SUBCOMPONENT              MESSAGE LEVEL
     LDAP                   ERROR MESSAGES AND HIGHER
     SAF                    WARNING MESSAGES AND HIGHER
     DB                     INFORMATIONAL MESSAGES AND HIGHER
     CORE                   WARNING MESSAGES AND HIGHER
     PKID                   VERBOSE DIAGNOSTIC MESSAGES AND HIGHER
     POLICY                 WARNING MESSAGES AND HIGHER
     TPOLICY                WARNING MESSAGES AND HIGHER
  MESSAGE LOGGING SETTING: STDOUT_LOGGING
  CONFIGURATION FILE IN USE:
/etc/pkiserv/pkiserv.conf
  TEMPLATE FILE IN USE:
/etc/pkiserv/pkiserv.tmpl
  CA CERTIFICATE FINGERPRINTS:
   SHA1:   BB:B5:AF:38:BA:3B:33:61:46:F5:FE:AD:20:33:10:98:C2:D7:9A:BC 
   MD5:    C6:E6:B2:F3:39:F0:7C:B5:A6:B6:F0:36:5F:2F:7D:C8             
   SHA256: FC:F6:DE:AF:CF:48:15:90:0E:91:9B:8F:5C:93:9B:FF:            
           1D:2D:FC:B1:10:33:2C:CB:B5:02:F4:8E:5E:41:FA:F8             
   SHA512: 14:DD:45:4C:78:66:47:0D:7B:BB:BE:56:33:F0:18:52:            
           F4:AD:0C:96:B9:78:5B:40:FF:AE:D5:EB:62:87:A6:22:            
           48:45:37:D6:4B:3A:DD:5C:F0:7D:6F:A5:D8:6F:6E:36:            
           E5:8C:77:D2:B5:BC:3E:14:E2:34:F8:A1:11:31:2B:E3
  • When the PKI administrator receives a certificate request from a preregistered SCEP client, the PKI administrator can confirm the integrity of the certificate request by viewing its fingerprints on the "Single Request" web page. (See Figure 1 for a sample.)

    To ensure the integrity of the certificate request, the PKI administrator can contact the SCEP requestor to match the fingerprints in the received certificate request with the fingerprints in the original certificate request. (The certificate requestor can use the SCEP client software to view the fingerprints that are saved for the original request.)

Parent topic: Enabling Simple Certificate Enrollment Protocol (SCEP)