How to get the same fingerprint that AWS uses from x.509 with node-forge?

How to get the certificate ID / fingerprint of an x.509 certificate using node-forge?

Update

I need this for AWS IoT. I’ve been investigating and ended up that AWS probably uses some fingerprint algorithm to extract the certificate ID. It is not baked into the cert, probably the public key is used as a base for the fingerprint.

Update 2

Running this command returns the correct fingerprint: openssl x509 -noout -fingerprint -sha256 -inform pem -in cert.crt

How to achieve this with node-forge?

I’ve put together the following one but it does not return the same fp.:

const fs = require('fs')
const forge = require('node-forge')
const { pki } = forge
const { promisify } = require('es6-promisify')
const readFile = promisify(fs.readFile)

async function main() {
  const certPem = await readFile('./cert.crt', 'utf-8')
  const cert = pki.certificateFromPem(certPem)
  const fingerprint = pki.getPublicKeyFingerprint(cert.publicKey, {
    md: forge.md.sha256.create(),
    encoding: 'hex',
  })
}

main()

Answer

The solution is:

You just need to extract the string from between the “—–BEGIN CERTIFICATE—–” header and “—–END CERTIFICATE—– ” footer, base64 decode it and compute SHA1 hash of decoded data.

In this case SHA256.