All Products
Search

This Product

    Resource Access Management:Obtain an OIDC IdP certificate thumbprint with OpenSSL

    Document Center

    Resource Access Management:Obtain an OIDC IdP certificate thumbprint with OpenSSL

    Last Updated:Mar 27, 2026

    When you configure an OpenID Connect (OIDC) identity provider (IdP) in Resource Access Management (RAM), you must provide the SHA-1 thumbprint of the IdP's root Certificate Authority (CA) certificate to ensure secure communication. This tutorial describes how to use the OpenSSL CLI to obtain this thumbprint.

    Prerequisites

    • You have the OpenSSL CLI installed and configured in your system's PATH.

    • You have the issuer URL of your OIDC IdP (such as https://oauth.aliyun.com).

    Obtain the thumbprint

    This tutorial uses oauth.aliyun.com as an example IdP hostname. Replace this with the hostname from your IdP's issuer URL.

    Step 1: Get the IdP's certificate chain

    Use the OpenSSL s_client command to connect to your IdP's server and display its SSL/TLS certificate chain.

    1. Open a terminal or command prompt.

    2. Run the following command. Replace <your-idp-hostname> with the hostname of your IdP.

      openssl s_client -servername <your-idp-hostname> -showcerts -connect <your-idp-hostname>:443

      Example:

      openssl s_client -servername oauth.aliyun.com -showcerts -connect oauth.aliyun.com:443

    The command will print detailed connection information followed by one or more certificates in PEM format.

    Step 2: Isolate the root CA certificate

    The output from the previous step shows a certificate chain. To create a thumbprint for Alibaba Cloud, you must use the root CA certificate, which is the last certificate in the chain shown in the output.

    1. In the command output, scroll to the last certificate block. It will be enclosed by -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.

      -----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
...
b2N4c2+2n8/fo+ZPA75kO3rKde2b6Xo4Y+5JBzGAeS8g9yS32k2p5yvN9g==
-----END CERTIFICATE-----

    2. Copy the entire content of this last certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.

    3. Paste the copied text into a new file and save it as ca.crt.

    Step 3: Calculate the SHA-1 thumbprint

    Now, use the OpenSSL x509 command to calculate the SHA-1 fingerprint of the saved root CA certificate file.

    1. In your terminal, run the following command:

      openssl x509 -in certificate.crt -fingerprint -sha1 -noout

    2. The command will output the SHA-1 fingerprint.

      SHA1 Fingerprint=90:2E:F2:DE:EB:3C:5B:13******

    3. Remove the SHA1 Fingerprint= prefix and all colons (:) from the output. The resulting string is the thumbprint.

      902EF2DEEB3C5B13******

    You can now use this thumbprint when creating or updating your OIDC IdP configuration in the RAM console.