1. Overview

A certificate’s thumbprint (or fingerprint) is the unique identifier of the certificate. It’s not part of the certificate, but it’s calculated from it.

In this short tutorial, we’ll see how to compute an X509 certificate’s thumbprint in Java.

2. Use Plain Java

First, let’s get an X509Certificate object from our certificate file:

public static X509Certificate getCertObject(String filePath) 
  throws IOException, CertificateException {
     try (FileInputStream is = new FileInputStream(filePath)) {
        CertificateFactory certificateFactory = CertificateFactory
        return (X509Certificate) certificateFactory.generateCertificate(is);

Next, let’s get the thumbprint from this object:

private static String getThumbprint(X509Certificate cert) 
  throws NoSuchAlgorithmException, CertificateEncodingException {
    MessageDigest md = MessageDigest.getInstance("SHA-1");
    return DatatypeConverter.printHexBinary(md.digest()).toLowerCase();

For example, if we have an X509 certificate file named baeldung.pem, we can use the methods above to easily print its thumbprint:

X509Certificate certObject = getCertObject("baeldung.pem");

The result will look something like:


3. Use Apache Commons Codec

We can also use the DigestUtils class from the Apache Commons Codec library to achieve the same goal.

Let’s add a dependency to our pom.xml file:


Now, we simply use the sha1Hex() method to get the thumbprint from our X509Certificate object:


4. Conclusion

In this quick tutorial, we’ve learned two ways to compute an X509 certificate’s thumbprint in Java.

As always, the example code from this article can be found over on GitHub.

Course – LSS (cat=Security/Spring Security)

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

res – Security (video) (cat=Security/Spring Security)
Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.