In your GuardSSL scan results, you'll see Fingerprint and Fingerprint (SHA-256) fields displaying long strings of seemingly random characters. These are certificate "fingerprints." Let me explain what they are and how they're used.

What is a Certificate Fingerprint?

A certificate fingerprint is like a certificate's unique ID number—a string that uniquely identifies that specific certificate.

Technically, a fingerprint is a hash computed from the entire certificate's contents. Imagine putting all the contents of a book through a "blender" that outputs a fixed-length string.

Key Properties of Fingerprints

Uniqueness: Different certificates produce different fingerprints
Fixed Length: Regardless of certificate size, fingerprint length is constant
One-Way: You can't reverse-engineer certificate content from a fingerprint
Sensitivity: Change one character in the certificate, and the fingerprint completely changes

Why Fingerprints Are Useful

Verifying Certificate Integrity

After receiving a certificate from a website, how do you confirm it's the genuine certificate and hasn't been swapped by a man-in-the-middle?

You can obtain the certificate's fingerprint through a secure channel (like official documentation or tech support), then compare it to the fingerprint of the certificate you received. If they match, the certificate hasn't been tampered with.

Certificate Pinning

Some high-security applications (like banking apps) "pin" the server certificate's fingerprint in their code. Each time the app connects, it verifies the server certificate's fingerprint matches the preset value. This prevents man-in-the-middle attacks—even if an attacker has a legitimate CA-signed fake certificate.

Certificate Identification

In systems managing multiple certificates, fingerprints are a convenient way to quickly identify certificates. Compared to full certificate contents, a fingerprint string is much easier to store and compare.

SHA-1 vs SHA-256 Fingerprints

In GuardSSL, you'll see two types of fingerprints:

SHA-1 Fingerprint

Length: 40 hexadecimal characters
Example: A3:12:5E:...(40 characters total)
Status: Still displayed but not recommended for security purposes

SHA-256 Fingerprint

Length: 64 hexadecimal characters
Example: B5:92:E8:...(64 characters total)
Status: Current recommended standard

Why Use SHA-256?

In 2017, SHA-1 was proven vulnerable to "collision" attacks—theoretically, attackers could create two different certificates with the same SHA-1 fingerprint. While practically difficult to exploit, for safety:

New security applications should use SHA-256 fingerprints.

However, SHA-1 fingerprints are still widely displayed in various tools because many legacy systems still use them for identification (not security verification).

How to Verify a Certificate Fingerprint

Manual Verification

If you need to verify a certificate is correct:

Obtain the expected fingerprint from a trusted source
Scan the target website with GuardSSL
Compare the two fingerprints

Note: Fingerprints must match exactly—any character difference means different certificates.

In Your Browser

Click the padlock icon in the address bar
Select "Certificate" or "Connection is secure"
View the fingerprint/SHA-256 in certificate details

Using Command Line

# Get a website certificate's SHA-256 fingerprint
openssl s_client -connect example.com:443 < /dev/null 2>/dev/null | \
  openssl x509 -fingerprint -sha256 -noout

Common Fingerprint Formats

You might see fingerprints displayed in different formats:

With colons (most common):

A3:12:5E:B8:...

Without separators:

A3125EB8...

With spaces:

A3 12 5E B8...

These are all the same fingerprint—just different display formats. Ignore separators when comparing.

Fingerprint vs. Signature: What's the Difference?

These concepts are often confused:

	Fingerprint	Signature
What is it	Hash of certificate contents	CA's private key signature on certificate
Who generates it	Anyone can compute it	Only the CA can create it
Purpose	Identify certificate, verify integrity	Prove certificate was issued by trusted CA
Where stored	Not in certificate (computed on demand)	Embedded in certificate

Certificate Pinning Considerations

If your app uses Certificate Pinning:

⚠️ Risks

If you forget to update the pinned fingerprint when renewing certificates, the app won't connect
Need backup fingerprints or remote update mechanism

✅ Best Practices

Pin multiple fingerprints (current + backup certificates)
Consider pinning intermediate rather than end-entity certificates
Have remote configuration update capability

Key Takeaways

Certificate fingerprints are unique hash identifiers of certificate contents
SHA-256 fingerprints are more secure than SHA-1
Fingerprints are used for integrity verification and identity confirmation
When comparing fingerprints, they must match exactly
High-security apps can use fingerprints for certificate pinning

Understanding certificate fingerprints helps you more precisely identify and verify SSL certificates.

SSL Certificate Fingerprint Explained: SHA-1 vs SHA-256