I’m having a problem where the “key identifier” displayed on my ios device does not match the key fingerprint on my server. In particular, I run:
% openssl x509 -in keyfile.pem -fingerprint -sha1
and I get a 20 byte hash. I also have a 20 byte hash in my phone, but it is not that hash value. I am left wondering if this is a crypto usability fail, or an attack.
Should I expect the output of that openssl invocation to match certificate details on IOS, or is that a different hash? What options to openssl should produce the result I see on my phone?
[update: it also does not match the output or a trivial subset of the output of
% openssl x509 -in keyfile.pem -fingerprint -sha256
% openssl x509 -in keyfile.pem -fingerprint -sha512
[Update 2: iOS displays the “X509v3 Subject Key Identifier”, and you can ask openssl for that via -text, eg,
openssl x509 -in pubkey.pem -text. Thanks to Ryan Sleevi for pointing me down that path.]