THUMBPRINT(6) THUMBPRINT(6)
NAME
thumbprint - public key thumbprints
DESCRIPTION
Applications in Plan 9 that use public keys for
authentication, for example by calling tlsClient and
okThumbprint or okCertificate (see pushtls(2)), check the
remote side's public key by comparing against thumbprints
from a trusted list. The list is maintained by people who
set local policies about which servers can be trusted for
which applications, thereby playing the role taken by cer-
tificate authorities in PKI-based systems. By convention,
these lists are stored as files in /sys/lib/tls/ and pro-
tected by normal file system permissions.
Such a thumbprint file comprises lines made up of
attribute/value pairs of the form attr=value or attr. The
first attribute must be the application tag: x509 for tls
applications or ssh for ssh server fingerprints. The second
attribute must be a hash type of sha1= or sha256= followed
by the hex or base64 encoded hash of binary certificate or
public key. All other attributes are treated as comments.
The file may also contain lines of the form #include file
For example, a web server might have thumbprint
x509 sha1=8fe472d31b360a8303cd29f92bd734813cbd923c cn=*.cs.bell-labs.com
SEE ALSO
pushtls(2)
Page 1 Plan 9 (printed 10/26/25)