You have a certificate that you want to compare against a list of known good certificates.
The average certificate is generally small, often under 2 KB in size. Because a certificate is both reasonably small and cannot be undetectably modified once it has been signed by a CA, it might seem reasonable to do a byte-for-byte comparison of the certificate with a list of certificates. One problem with this approach is that if you are comparing a certificate against a sizable list, performing the comparisons can become a time-consuming operation. The other problem is that of storing all the certificates in the list against which the certificate to verify will be compared. A better way is to compute the fingerprint of each certificate and store the fingerprint instead of the entire certificate. Fingerprints are generally only 16 or 20 bytes in size, depending on the message digest algorithm used to compute them.
In OpenSSL, computing the fingerprint of a
certificate is as simple as a single call to
Comparing fingerprints is done with a byte-for-byte comparison. The
only work you really need to do is to decide on which message digest
algorithm to use. MD5 is still the most popular algorithm, but we
recommend using something stronger, such as SHA1. MD5 only has a
16-byte output, and there are known attacks against it, whereas SHA1
has a 20-byte output, and there are no known attacks against it.