What is the difference between serial number and thumbprint?

In a certificate, the serial number is chosen by the CA which issued the certificate. It is just written in the certificate. The CA can choose the serial number in any way as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is supposed to choose unique serial numbers, that is, unique for the CA. You cannot count on a serial number being unique worldwide; in the dream world of X.509, it is the pair issuerDN+serial which is unique worldwide (each CA having its own unique distinguished name, and taking care not to reuse serial numbers).

The thumbprint is a hash value computed over the complete certificate, which includes all its fields, including the signature. That one is unique worldwide, for a given certificate, up to the inherent collision resistance of the used hash function. Microsoft software tends to use SHA-1, for which some theoretical weaknesses are known, but no actual collision has been produced (yet). A collision attack on SHA-1 has now been demonstrated by researchers from CWI and Google.

(The thumbprints you show appear to consist of 40 hexadecimal characters, i.e. 160 bits, which again points at SHA-1 as the plausibly used hash function.)


The thumbprint is the sha1sum or sha256sum of the certificate in its binary .DER format. That is, from a Unix terminal you run:

sha1sum /path/to/mycertificate.der

The hexademical output of that command is your thumbprint. It is also called the fingerprint. Try it, and you will see.