Is it safe to test the X509Certificate.Thumbprint property when you know an invalid certificate is safe?

Yes.

The thumbprint is a SHA1 hash of the certificate, and while not absolutely impossible, is extremely difficult to forge.

In technical terms, there are currently no known feasable second-preimage attacks on SHA1.

However, if in any doubt, you may store the whole certificate, perhaps using the fingerprint as a key. Then you can compare the whole certificate against your stored, trusted certificate.


Thumbprint is not a part of the certificate. In every cert tool you can see this value, but it is computed hash from whole certificate. Usually it is presented as SHA1, but there are no obstacles to compute as SHA256.

Morgan Simonsen wrote about this: https://morgansimonsen.com/2013/04/16/understanding-x-509-digital-certificate-thumbprints/