announcement - icon

It’s just plain hard to get true, real-time visibility into a running auth flow.

Parts of the process can be completely hidden from us; if the complete authorization process requires a redirect from a remote OAuth production server, then every debugging effort must go through the production server.

It’s practically unfeasible to debug this locally. There’s no way to reproduce the exact state and no way to inspect what is actually happening under the hood. Not ideal.

Knowing these types of challenges, we built Lightrun - a real-time production debugging tool - to allow you to understand complicated flows with code-level information. Add logs, take snapshots (virtual breakpoints), and instrument metrics without a remote debugger, without stopping the running service, and, most importantly - in real-time and without side effects.

Learn more with this 5-minute tutorial focused on debugging these kinds of scenarios using Lightrun:

>> Debugging Authentication and Authorization Using Lightrun

1. Overview

A certificate's thumbprint (or fingerprint) is the unique identifier of the certificate. It's not part of the certificate, but it's calculated from it.

In this short tutorial, we'll see how to compute an X509 certificate's thumbprint in Java.

2. Use Plain Java

First, let's get an X509Certificate object from our certificate file:

public static X509Certificate getCertObject(String filePath) 
  throws IOException, CertificateException {
     try (FileInputStream is = new FileInputStream(filePath)) {
        CertificateFactory certificateFactory = CertificateFactory
          .getInstance("X.509");
        return (X509Certificate) certificateFactory.generateCertificate(is);
    }
}

Next, let's get the thumbprint from this object:

private static String getThumbprint(X509Certificate cert) 
  throws NoSuchAlgorithmException, CertificateEncodingException {
    MessageDigest md = MessageDigest.getInstance("SHA-1");
    md.update(cert.getEncoded());
    return DatatypeConverter.printHexBinary(md.digest()).toLowerCase();
}

For example, if we have an X509 certificate file named baeldung.pem, we can use the methods above to easily print its thumbprint:

X509Certificate certObject = getCertObject("baeldung.pem");
System.out.println(getThumbprint(certObject));

The result will look something like:

c9fa9f008655c8401ad27e213b985804854d928c

3. Use Apache Commons Codec

We can also use the DigestUtils class from the Apache Commons Codec library to achieve the same goal.

Let's add a dependency to our pom.xml file:

<dependency>
    <groupId>commons-codec</groupId>
    <artifactId>commons-codec</artifactId>
    <version>1.15</version>
</dependency>

Now, we simply use the sha1Hex() method to get the thumbprint from our X509Certificate object:

DigestUtils.sha1Hex(certObject.getEncoded());

4. Conclusion

In this quick tutorial, we've learned two ways to compute an X509 certificate's thumbprint in Java.

As always, the example code from this article can be found over on GitHub.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

>> CHECK OUT THE COURSE
Security footer banner
Comments are closed on this article!