Need a thumbprint-shaped string to drop into a TLS or PKI test? This generator produces correctly formatted SHA-1 and SHA-256 certificate thumbprints from cryptographically random bytes. They look real but match no certificate.
How it works
A certificate thumbprint is simply a cryptographic hash of the certificate’s DER bytes, displayed as hexadecimal. The byte length depends on the algorithm:
SHA-1 20 bytes -> 40 hex characters
SHA-256 32 bytes -> 64 hex characters
The tool draws the right number of random bytes from the browser’s Web Crypto generator and formats them as uppercase hex, optionally separated by colons or spaces. Because the bytes are random rather than hashed from a real certificate, the result is a safe placeholder.
Tips and notes
Match the display format to your target tool: OpenSSL and browsers favour colon-separated hex, Windows certificate dialogs show space-separated bytes, and config files usually want unseparated hex. Never treat a generated value as a trust anchor — pin only thumbprints derived from certificates you actually control.
When you need a fake thumbprint
Certificate thumbprints appear in many places in TLS and PKI workflows, and there are several development and testing scenarios where a plausible-looking placeholder is useful:
Testing certificate-pinning logic
Certificate pinning compares the actual server certificate’s thumbprint against a stored value at runtime. When writing unit tests for the comparison function, you need a valid-format input to test against — but you do not want to hard-code a production certificate’s real fingerprint in a test file. A fake thumbprint of the right length and format lets you test the comparison, mismatch handling, and error paths safely.
Seeding configuration schemas and documentation
API references, firewall rule schemas, and PKI documentation often show a thumbprint field. Putting a real fingerprint in documentation examples is a minor but avoidable information leak. A generated placeholder is the same format and conveys the same information about what the field expects, without revealing a real certificate.
UI and integration testing
Web applications that let admins upload or paste certificate thumbprints for mTLS, code-signing validation, or webhook verification need UI tests. Filling the field with a correctly formatted but fake value lets you test form validation, accept/reject logic, and downstream processing without involving real credentials.
Database migration and fixture data
If you are migrating a certificate store or building a fixture dataset for a staging environment, you may need rows with thumbprint columns populated. Fake thumbprints fill the schema correctly and make queries against the thumbprint column behave realistically, without any real certificate data landing in a staging database.
SHA-1 vs SHA-256 — when each format appears
Although SHA-1 is cryptographically weak and should not be used for any security decision, the SHA-1 thumbprint format (40 hex characters) remains widespread as an identifier rather than a security primitive:
- Windows certificate stores display SHA-1 thumbprints in the Details tab by default
- Many older enterprise tools, Active Directory configuration fields, and network appliances still identify certificates by SHA-1 fingerprint
- Azure Key Vault, AWS ACM, and other cloud services show both formats but SHA-1 appears in older API responses and PowerShell outputs
The SHA-256 thumbprint (64 hex characters) is the modern format, used in newer certificate management APIs, HPKP successors, and anywhere a security decision (as opposed to just an identifier lookup) depends on the fingerprint value.
Display format reference
| Format | Example pattern | Where it’s used |
|---|---|---|
| Colon-separated | AA:BB:CC:… | OpenSSL, browser certificate viewers |
| Space-separated | AA BB CC … | Windows certificate dialogs |
| Plain hex | AABBCC… | Config files, API inputs, string comparisons |
The generator supports all three — pick whichever your target system expects.