Thumbprint taken from incorrect certificate in the chain

[nweisenauer-sap]

Hey,

excited to try out your tool to automatically refresh the thumbprints inside our AWS Identity Providers, I found that it actually does not extract the correct thumbprint (or at least not the one AWS wants us to put there).

As per https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
the thumbprint of the top intermediate CA should be used.

IAM requires the thumbprint for the top intermediate certificate authority (CA) that signed the certificate used by the external identity provider (IdP)

I observed that aws-oidc-provider-refresher uses not the thumbprint of the top intermediate CA in the chain, but the thumbprint of the bottom certificate in the chain. It can easily be confirmed by setting up a fresh IDP in AWS, which comes with the feature to automatically set the correct thumbprint by AWS. Running aws-oidc-provider-refresher --verbose immediately afterwards already reports that an update to the thumbprint is needed, as the tool wants to put the thumbprint of another certificate in the chain.

Cheers,
Nico