diff --git a/docs/simplesamlphp-reference-idp-remote.md b/docs/simplesamlphp-reference-idp-remote.md
index c4088531bdd6d765a885a87a74b2d73464bc73cc..a8520d4740d6697ab921be857fc20c2c96bcff25 100644
--- a/docs/simplesamlphp-reference-idp-remote.md
+++ b/docs/simplesamlphp-reference-idp-remote.md
@@ -31,9 +31,7 @@ The following options are common between both the SAML 2.0 protocol and Shibbole
 :   The base64 encoded certificate for this IdP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.
 
 `certFingerprint`
-:   If you only need to validate signatures received from this IdP, you can specify the certificate fingerprint instead of storing the full certificate. To obtain this, you can enter a bogus value, and attempt to log in. You will then receive an error message with the correct fingerprint.
-
-:   It is also possible to add an array of valid fingerprints, where any fingerprints in that array is accepted as valid. This can be used to update the certificate of the IdP without having to update every SP at that exact time. Instead, one can update the SPs with the new fingerprint, and only update the certificate after every SP is updated.
+:   If you only need to validate signatures received from this IdP, you can specify the certificate fingerprint instead of storing the full certificate. *Deprecated:* please use `certData` or `certificate` options. This option will be removed in a future version of simpleSAMLphp.
 
 `certificate`
 :   The file with the certificate for this IdP. The path is relative to the `cert`-directory.
@@ -211,13 +209,3 @@ Shibboleth 1.3 options
 
 :   *Note*: This option only works with the `saml:SP` authentication source.
 
-
-Calculating the fingerprint of a certificate
---------------------------------------------
-
-If you have obtained a certificate file, and want to calculate the fingerprint of the file, you can use the `openssl` command:
-
-    $ openssl x509 -noout -fingerprint -in "example.org.crt"
-    SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9
-
-In this case, the certFingerprint option should be set to `AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9`.
diff --git a/docs/simplesamlphp-sp.md b/docs/simplesamlphp-sp.md
index 509df2d2e6fd89a1fe5caac9947a1320c65b6708..3cc6d65cf9a299429a27a8a6d4034d86d9c777c0 100644
--- a/docs/simplesamlphp-sp.md
+++ b/docs/simplesamlphp-sp.md
@@ -72,9 +72,11 @@ This is a minimal example of a `metadata/saml20-idp-remote.php` metadata file:
     $metadata['https://example.com'] = array(
         'SingleSignOnService'  => 'https://example.com/simplesaml/saml2/idp/SSOService.php',
         'SingleLogoutService'  => 'https://example.com/simplesaml/saml2/idp/SingleLogoutService.php',
-        'certFingerprint'      => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb',
+        'certificate'          => 'example.pem',
     );
 
+`example.pem` under your `cert/` directory contains the certificate the identity provider uses for signing assertions.
+
 For more information about available options in the idp-remote metadata files, see the [IdP remote reference](simplesamlphp-reference-idp-remote).
 
 If you have the metadata of the remote IdP as an XML file, you can use the built-in XML to SimpleSAMLphp metadata converter, which by default is available as `/admin/metadata-converter.php` in your SimpleSAMLphp installation.
diff --git a/lib/SimpleSAML/Metadata/SAMLParser.php b/lib/SimpleSAML/Metadata/SAMLParser.php
index edb39091ca94b0781b472a4cdc1b0542accdc5ce..7a4bc2573ddbf71543ce03c94c75be1f8377ba14 100644
--- a/lib/SimpleSAML/Metadata/SAMLParser.php
+++ b/lib/SimpleSAML/Metadata/SAMLParser.php
@@ -604,7 +604,7 @@ class SimpleSAML_Metadata_SAMLParser
      * - 'SingleSignOnService': String with the URL of the SSO service which supports the redirect binding.
      * - 'SingleLogoutService': String with the URL where we should send logout requests/responses.
      * - 'certData': X509Certificate for entity (if present).
-     * - 'certFingerprint': Fingerprint of the X509Certificate from the metadata.
+     * - 'certFingerprint': Fingerprint of the X509Certificate from the metadata. (deprecated)
      *
      * Metadata must be loaded with one of the parse functions before this function can be called.
      *
@@ -757,7 +757,7 @@ class SimpleSAML_Metadata_SAMLParser
      *   the 'SingleLogoutService' endpoint.
      * - 'NameIDFormats': The name ID formats this IdP supports.
      * - 'certData': X509Certificate for entity (if present).
-     * - 'certFingerprint': Fingerprint of the X509Certificate from the metadata.
+     * - 'certFingerprint': Fingerprint of the X509Certificate from the metadata. (deprecated)
      *
      * Metadata must be loaded with one of the parse functions before this function can be called.
      *
diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php
index 269ed1b4df54ca44031ddb044d84b4de6b048945..f27a9b02ec676bd516e8327243f07f6456babfc9 100644
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -178,12 +178,12 @@ class Crypto
      * - 'certData': The certificate as a base64-encoded string.
      * - 'certificate': A file with a certificate or public key in PEM-format.
      * - 'certFingerprint': The fingerprint of the certificate. Can be a single fingerprint, or an array of multiple
-     * valid fingerprints.
+     * valid fingerprints. (deprecated)
      *
      * This function will return an array with these elements:
      * - 'PEM': The public key/certificate in PEM-encoding.
      * - 'certData': The certificate data, base64 encoded, on a single line. (Only present if this is a certificate.)
-     * - 'certFingerprint': Array of valid certificate fingerprints. (Only present if this is a certificate.)
+     * - 'certFingerprint': Array of valid certificate fingerprints. (Deprecated. Only present if this is a certificate.)
      *
      * @param \SimpleSAML_Configuration $metadata The metadata.
      * @param bool                      $required Whether the private key is required. If this is TRUE, a missing key
diff --git a/metadata-templates/shib13-idp-remote.php b/metadata-templates/shib13-idp-remote.php
index 142e63754357b450e78094666d031edc15c8b2ba..b48b6f9f922238e981624a3f56596f954d8a605b 100644
--- a/metadata-templates/shib13-idp-remote.php
+++ b/metadata-templates/shib13-idp-remote.php
@@ -10,6 +10,6 @@
 /*
 $metadata['theproviderid-of-the-idp'] = array(
 	'SingleSignOnService'  => 'https://idp.example.org/shibboleth-idp/SSO',
-	'certFingerprint'      => 'c7279a9f28f11380509e072441e3dc55fb9ab864',
+	'certificate'          => 'example.pem',
 );
 */
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 60fea0e342c0ef784b2f15bf0dcb77a5723b0c58..b1bab1bcf4042b0800855361a9e0939958d929b8 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -159,6 +159,11 @@ class sspmod_saml_Message {
 			}
 
 		} elseif ($srcMetadata->hasValue('certFingerprint')) {
+			SimpleSAML\Logger::notice(
+			    "Validating certificates by fingerprint is deprecated. Please use " .
+			    "certData or certificate options in your remote metadata configuration."
+			);
+
 			$certFingerprint = $srcMetadata->getArrayizeString('certFingerprint');
 			foreach ($certFingerprint as &$fp) {
 				$fp = strtolower(str_replace(':', '', $fp));