How can we differentiate between the Thubprint Algorithm, Signature Algorithm and Signature Hash Algorithm?
I'm a bit confused on the differences between Signature Algorithm, Signature Hash Algorithm, and Thumbprint Algorithm that are present in SSL/TLS certificates. Can you please explain?
While the accepted answer goes into some detail about how the calculation is done, it doesn't address the original question at all - Signature Algorithm, Signature Hash Algorithm, and Thumbprint Algorithm that are present in SSL/TLS certificates - which one is which piece of the equation (especially if Microsoft also mix it up)?
The answer seems fairly simple - from:
https://social.technet.microsoft.com/Forums/windowsserver/ennUS/4f8fb14a-256e-4c77-86bc-40c364ec5ed0/certificates-differences-between-signature-algorithm-and-signature-hash-algorithm?forum=winserversecurityand marked as correct answer over there:
Differences between "Signature algorithm" and "Signature Hash Algorithm"
They are used to determine the signature algorithm and hash function used to sign the certificate. This information is used by certificate chaining engines to validate the signature of the certificate. Certificate chaining engine calculates a hash over a certificate (signed part). The Hash method is selected from the Signature Hash Algorithm field. Then the certificate chaining engine decodes the attached signature by using the signature algorithm specified in the Signature Algorithm field and recovers the signed hash. If both hashes match, then the signature is valid, if they differ, the signature is considered invalid.
My addition from another source - Thumbprint Algo - simple non crypto property used to identify the cert on a given system (not authenticate it or verify its validity)
The answer seems fairly simple - from:
https://social.technet.microsoft.com/Forums/windowsserver/ennUS/4f8fb14a-256e-4c77-86bc-40c364ec5ed0/certificates-differences-between-signature-algorithm-and-signature-hash-algorithm?forum=winserversecurityand marked as correct answer over there:
Differences between "Signature algorithm" and "Signature Hash Algorithm"
They are used to determine the signature algorithm and hash function used to sign the certificate. This information is used by certificate chaining engines to validate the signature of the certificate. Certificate chaining engine calculates a hash over a certificate (signed part). The Hash method is selected from the Signature Hash Algorithm field. Then the certificate chaining engine decodes the attached signature by using the signature algorithm specified in the Signature Algorithm field and recovers the signed hash. If both hashes match, then the signature is valid, if they differ, the signature is considered invalid.
My addition from another source - Thumbprint Algo - simple non crypto property used to identify the cert on a given system (not authenticate it or verify its validity)