How To Generate the Server Certificate Thumbprint for the VOC



Applies to:

All versions of Venafi Trust Protection Platform with TrustAuthority and TrustForce


The Aperture certificate thumbprint for the Venafi Operational Certificate (VOC) is calculated as a SHA256 digest of the certificate data. This article will demonstrate how to generate the Aperture server thumbprint from the TPP VOC certificate.


  1. Download the VOC certificate from the TPP server in DER format to a Windows server:


  1. Use the Windows certutil command to generate the SHA256 hash of the certificate file 

C:\Temp>certutil -hashfile VenafiServer.venafi.local.der SHA256

SHA256 hash of file VenafiServer.venafi.local.der:

9a 4d 68 f9 0e a5 46 d0 72 4f 69 9e 57 ca 00 e7 38 4f 05 d5 a3 a2 79 d5 6d d8 0d b7 ae d0 fb a0

CertUtil: -hashfile command completed successfully.


  1. Double check the SHA256 hash against the certificate thumbprint in Aperture to ensure they match


More Information:

If you need to verify those digests on systems with OpenSSL installed, you can use the following commands:

The hash is calculated over the binary certificate data; if your certificate is in the PEM ‘----BEGIN CERTIFICATE----‘ format, convert your certificate to binary format first using this command:

openssl x509 –in [PEM cert] –out [binary cert output file] –outform der

Then obtain the SHA256 digest (Aperture certificate thumbprint):

openssl sha –sha256 <name_of_VOC_cert_in_DER_format>


Was this article helpful?
0 out of 0 found this helpful