How to verify SSL SHA-1 Certificate Fingerprnit Signature of your mail/web server to avoid hijacking/man-in-the-middle attacks -
How to verify SSL SHA-1 Certificate Fingerprnit Signature of your mail/web server to avoid hijacking/man-in-the-middle attacks
This is especially helpful if you run your own servers. If you are presented with an error message or warning that the signature has changed or does not match the IP/domain you are connecting to you always want to verify manually.
So your e-mail/web client will show you an SHA-1 fingerprint like this:
"Could not verify this certificate because the issuer is unkown" or other reasons such as a mismatch in IP/domain.
It will also show you the "SHA1 fingerprint". Copy this and compare below with the results of your actual server certificate.
How to verify it against the actual certificate on your server?:
openssl x509 -fingerprint -in /pathto/your-certificate.crt -noout
How to manually fetch the SHA1 certificate straight from the server to compare?
openssl s_client -showcerts -connect yourdomain.com:port 2>/dev/null|openssl x509 -fingerprint -noout
This is an important and good way to verify that you are actually talking to who you think you are and that there is no direct interception or Middleman attack.