User Tools

Site Tools


howtos:verify_a_certificate_matches_a_private_key

When you create a certificate, you need a private key during creation. Optionally, you can create the key at the same time as the certificate. In either case, you may one day forget which key was used to create a particular certificate. You can figure this out by comparing the modulus of the certificate with the modulus of the key. Since the certificate is an X.509 PEM formatted file and the private key is an RSA PEM formatted file, you would run the following two commands and compare their output. (Note that linebreaks have been added to the Modulus output to make this page easier to read.)

  > openssl x509 -in cert.pem -noout -modulus
  Modulus=D44108D18FC92D916D8BA787EFBB43C1B7CE9BD38DB00C7A1AAE3750CB22D62EB3D5E4DF
  09227A8926B96F90E1C34819E5EE6EEB466AE693D9AB10811AB8DDAB74A308B5FD6775D06D5F25DF
  E97B8680450F3D3215679D5E5348CE6CB340699E5A355A3E0315877BD8CB9B3A0C8A4FADB8EACFB6
  14BA6D0518CAEC946FAE8B6D7FCFDB0D6A211B7EB2C8D27D5F02B2AB8FB023B8F5783D44E94BE804
  7B6DFE0CB11333B90919C550B93F0D032BF3DF3DDF7AA3B9CBAFC7B685C9537E984291690AA1121A
  106D36627D56E65773ECEF63A55934D40102DE6863F3E292EE8E9F06619DAB71FD22E1039F5C9F48
  BC180123877213A21070BC8875F3C2242A6E3923
  > openssl rsa -in key.pem -noout -modulus
  Modulus=D44108D18FC92D916D8BA787EFBB43C1B7CE9BD38DB00C7A1AAE3750CB22D62EB3D5E4DF
  09227A8926B96F90E1C34819E5EE6EEB466AE693D9AB10811AB8DDAB74A308B5FD6775D06D5F25DF
  E97B8680450F3D3215679D5E5348CE6CB340699E5A355A3E0315877BD8CB9B3A0C8A4FADB8EACFB6
  14BA6D0518CAEC946FAE8B6D7FCFDB0D6A211B7EB2C8D27D5F02B2AB8FB023B8F5783D44E94BE804
  7B6DFE0CB11333B90919C550B93F0D032BF3DF3DDF7AA3B9CBAFC7B685C9537E984291690AA1121A
  106D36627D56E65773ECEF63A55934D40102DE6863F3E292EE8E9F06619DAB71FD22E1039F5C9F48
  BC180123877213A21070BC8875F3C2242A6E3923

In this case, the two moduli are the same, thus the key.pem file was used to generate the cert.pem file.

If you are running bash you can run the following test to easily see if the two moduli are the same:

  if [ "`openssl x509 -in cert.pem -noout -modulus`" = \
       "`openssl rsa -in key.pem -noout -modulus`" ]; \
       then echo "Match"; else echo "Different"; fi

An other way of doing the same is to make a md5 checksum.

To calculate the md5 checksum of the modulus of the key in question, use the following command:

openssl rsa -in /etc/ssl/ssl.key/default.key -modulus -noout | openssl md5
d5eddbb45275a3378dff01cb70868136

To calculate the md5 checksum of the modulus of the certificate in question, use the following command:

openssl x509 -in /etc/ssl/ssl.crt/default.crt -modulus -noout | openssl md5
b453c4304edec9cee0457a18bdb9f601

Compare the output of the commands. If the output from both commands is the same, the certificate and private key are a matching pair. If the output does not match, the certificate and key are not a pair.

Note: In the command and output examples used in this Solution, the checksums do not match; therefore, the certificate and key are not a pair.

howtos/verify_a_certificate_matches_a_private_key.txt · Last modified: d/m/Y H:i by 127.0.0.1