2

I have a basic question regarding fingerprints of https certificates, the specific case I wanted to check being my online banking service. With firefox on linux, I can visit the specific web page and then click on the green lock and go to inspect the certificate, more precisely I can look at its SHA-256 fingerprint. If I now want to compare it with this service it seems to me I cannot find the same SHA-256 fingerprint there, or at least not in the same format, so what to check? also, is there a simple shell script that automates the previous check that I did with firefox, somethin like curl https... | sha256sum?

Improve this question

1 Answer 1

Reset to default
5

Try this 

echo -n | openssl s_client -connect www.security.us.hsbc.com:443 2>/dev/null | openssl x509  -noout -fingerprint -sha256

The output should look like this:

$ echo -n | openssl s_client -connect www.security.us.hsbc.com:443 2>/dev/null | openssl x509  -noout -fingerprint -sha256
SHA256 Fingerprint=2B:53:3C:29:EF:1E:DD:62:5A:A0:2A:D6:45:99:3C:6E:3F:6E:85:02:F5:D9:1A:85:8B:43:4E:82:90:D9:9C:65

Notice that the SHA256 fingerprint matches the screen shot below taken from Firefox

enter image description here

Improve this answer
12
  • thanks for your answer. indeed it works on google.com, but when it try it on security.us.hsbc.com/gsa/SECURITY_LOGON_PAGE with or without the https : // www stuff or cutting from gsa/.., then I get: unable to load certificate 140652896214976:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE. do you know what i'm missing?
    – jj_p
    Commented Sep 28, 2017 at 17:20
  • It doesn't seem like that subdomain exists $ host security.us.hsbc.com/ Host security.us.hsbc.com/ not found: 3(NXDOMAIN)
    – MikeSchem
    Commented Sep 28, 2017 at 17:29
  • 1
    also, certificates are bound to domains and subdomains, you should not include anything after the .com or other TLD
    – MikeSchem
    Commented Sep 28, 2017 at 17:29
  • Ok, I understand what you say, but still firefox gives a certificate fingerprint for that page that is different than us.hsbc.com. if i click on the link i provided indeed it gives error, but if i access it by going first to us.hsbc.com/1/2/home/personal-banking and then click log on button, that't the certificate i'd like to check
    – jj_p
    Commented Sep 28, 2017 at 17:33
  • btw the script output seems to be 2/3 in length of sha256 fingerprint that i get from firefox, is it a different format?
    – jj_p
    Commented Sep 28, 2017 at 17:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .