1. Overview
A certificate’s thumbprint (or fingerprint) is the unique identifier of the certificate. It’s not part of the certificate, but it’s calculated from it.
In this short tutorial, we’ll see how to compute an X509 certificate’s thumbprint in Java.
2. Use Plain Java
First, let’s get an X509Certificate object from our certificate file:
public static X509Certificate getCertObject(String filePath)
throws IOException, CertificateException {
try (FileInputStream is = new FileInputStream(filePath)) {
CertificateFactory certificateFactory = CertificateFactory
.getInstance("X.509");
return (X509Certificate) certificateFactory.generateCertificate(is);
}
}
Next, let’s get the thumbprint from this object:
private static String getThumbprint(X509Certificate cert)
throws NoSuchAlgorithmException, CertificateEncodingException {
MessageDigest md = MessageDigest.getInstance("SHA-1");
md.update(cert.getEncoded());
return DatatypeConverter.printHexBinary(md.digest()).toLowerCase();
}
For example, if we have an X509 certificate file named baeldung.pem, we can use the methods above to easily print its thumbprint:
X509Certificate certObject = getCertObject("baeldung.pem");
System.out.println(getThumbprint(certObject));
The result will look something like:
c9fa9f008655c8401ad27e213b985804854d928c
3. Use Apache Commons Codec
We can also use the DigestUtils class from the Apache Commons Codec library to achieve the same goal.
Let’s add a dependency to our pom.xml file:
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.15</version>
</dependency>
Now, we simply use the sha1Hex() method to get the thumbprint from our X509Certificate object:
DigestUtils.sha1Hex(certObject.getEncoded());
4. Conclusion
In this quick tutorial, we’ve learned two ways to compute an X509 certificate’s thumbprint in Java.
As always, the example code from this article can be found over on GitHub.
