Hi, yes I can investigate a bit more but when deploying your certificate are you converting it into the component certificates/key using openssl already or do you directly use the PFX? It’s possible the key id being returned by your API is a different hash function on the same data, the difference in formatting of the hexadecimal pairs is just a convention. Our thumbprints are returned by the native .net/windows representation of the X509Certificate and we don’t calculate them ourselves.