Fake Certificate Thumbprint Generator

SHA-1 and SHA-256 thumbprint format strings

Generate certificate thumbprint strings in correct SHA-1 (40 hex) and SHA-256 (64 hex) formats for testing TLS and PKI code and UIs. These are random placeholders, not real certificate fingerprints. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Is this a real certificate fingerprint?

No. The thumbprint is a string of cryptographically random bytes formatted to look exactly like a certificate fingerprint. It is not derived from any certificate and matches no real key, so use it only as placeholder test data.

Need a thumbprint-shaped string to drop into a TLS or PKI test? This generator produces correctly formatted SHA-1 and SHA-256 certificate thumbprints from cryptographically random bytes. They look real but match no certificate.

How it works

A certificate thumbprint is simply a cryptographic hash of the certificate’s DER bytes, displayed as hexadecimal. The byte length depends on the algorithm:

SHA-1    20 bytes  -> 40 hex characters
SHA-256  32 bytes  -> 64 hex characters

The tool draws the right number of random bytes from the browser’s Web Crypto generator and formats them as uppercase hex, optionally separated by colons or spaces. Because the bytes are random rather than hashed from a real certificate, the result is a safe placeholder.

Tips and notes

Match the display format to your target tool: OpenSSL and browsers favour colon-separated hex, Windows certificate dialogs show space-separated bytes, and config files usually want unseparated hex. Never treat a generated value as a trust anchor — pin only thumbprints derived from certificates you actually control.

When you need a fake thumbprint

Certificate thumbprints appear in many places in TLS and PKI workflows, and there are several development and testing scenarios where a plausible-looking placeholder is useful:

Testing certificate-pinning logic

Certificate pinning compares the actual server certificate’s thumbprint against a stored value at runtime. When writing unit tests for the comparison function, you need a valid-format input to test against — but you do not want to hard-code a production certificate’s real fingerprint in a test file. A fake thumbprint of the right length and format lets you test the comparison, mismatch handling, and error paths safely.

Seeding configuration schemas and documentation

API references, firewall rule schemas, and PKI documentation often show a thumbprint field. Putting a real fingerprint in documentation examples is a minor but avoidable information leak. A generated placeholder is the same format and conveys the same information about what the field expects, without revealing a real certificate.

UI and integration testing

Web applications that let admins upload or paste certificate thumbprints for mTLS, code-signing validation, or webhook verification need UI tests. Filling the field with a correctly formatted but fake value lets you test form validation, accept/reject logic, and downstream processing without involving real credentials.

Database migration and fixture data

If you are migrating a certificate store or building a fixture dataset for a staging environment, you may need rows with thumbprint columns populated. Fake thumbprints fill the schema correctly and make queries against the thumbprint column behave realistically, without any real certificate data landing in a staging database.

SHA-1 vs SHA-256 — when each format appears

Although SHA-1 is cryptographically weak and should not be used for any security decision, the SHA-1 thumbprint format (40 hex characters) remains widespread as an identifier rather than a security primitive:

  • Windows certificate stores display SHA-1 thumbprints in the Details tab by default
  • Many older enterprise tools, Active Directory configuration fields, and network appliances still identify certificates by SHA-1 fingerprint
  • Azure Key Vault, AWS ACM, and other cloud services show both formats but SHA-1 appears in older API responses and PowerShell outputs

The SHA-256 thumbprint (64 hex characters) is the modern format, used in newer certificate management APIs, HPKP successors, and anywhere a security decision (as opposed to just an identifier lookup) depends on the fingerprint value.

Display format reference

FormatExample patternWhere it’s used
Colon-separatedAA:BB:CC:…OpenSSL, browser certificate viewers
Space-separatedAA BB CC …Windows certificate dialogs
Plain hexAABBCC…Config files, API inputs, string comparisons

The generator supports all three — pick whichever your target system expects.