User Tools

Site Tools


howtos:verify_a_certificate_matches_a_private_key
no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


howtos:verify_a_certificate_matches_a_private_key [02/12/2018 21:34] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +When you create a certificate, you need a private key during creation. Optionally, you can create the key at the same time as the certificate. In either case, you may one day forget which key was used to create a particular certificate. You can figure this out by comparing the modulus of the certificate with the modulus of the key. Since the certificate is an X.509 PEM formatted file and the private key is an RSA PEM formatted file, you would run the following two commands and compare their output. (Note that linebreaks have been added to the Modulus output to make this page easier to read.)
 +
 +    > openssl x509 -in cert.pem -noout -modulus
 +    Modulus=D44108D18FC92D916D8BA787EFBB43C1B7CE9BD38DB00C7A1AAE3750CB22D62EB3D5E4DF
 +    09227A8926B96F90E1C34819E5EE6EEB466AE693D9AB10811AB8DDAB74A308B5FD6775D06D5F25DF
 +    E97B8680450F3D3215679D5E5348CE6CB340699E5A355A3E0315877BD8CB9B3A0C8A4FADB8EACFB6
 +    14BA6D0518CAEC946FAE8B6D7FCFDB0D6A211B7EB2C8D27D5F02B2AB8FB023B8F5783D44E94BE804
 +    7B6DFE0CB11333B90919C550B93F0D032BF3DF3DDF7AA3B9CBAFC7B685C9537E984291690AA1121A
 +    106D36627D56E65773ECEF63A55934D40102DE6863F3E292EE8E9F06619DAB71FD22E1039F5C9F48
 +    BC180123877213A21070BC8875F3C2242A6E3923
 +
 +    > openssl rsa -in key.pem -noout -modulus
 +    Modulus=D44108D18FC92D916D8BA787EFBB43C1B7CE9BD38DB00C7A1AAE3750CB22D62EB3D5E4DF
 +    09227A8926B96F90E1C34819E5EE6EEB466AE693D9AB10811AB8DDAB74A308B5FD6775D06D5F25DF
 +    E97B8680450F3D3215679D5E5348CE6CB340699E5A355A3E0315877BD8CB9B3A0C8A4FADB8EACFB6
 +    14BA6D0518CAEC946FAE8B6D7FCFDB0D6A211B7EB2C8D27D5F02B2AB8FB023B8F5783D44E94BE804
 +    7B6DFE0CB11333B90919C550B93F0D032BF3DF3DDF7AA3B9CBAFC7B685C9537E984291690AA1121A
 +    106D36627D56E65773ECEF63A55934D40102DE6863F3E292EE8E9F06619DAB71FD22E1039F5C9F48
 +    BC180123877213A21070BC8875F3C2242A6E3923
 +
 +In this case, the two moduli are the same, thus the key.pem file was used to generate the cert.pem file.
 +
 +If you are running bash you can run the following test to easily see if the two moduli are the same:
 +
 +    if [ "`openssl x509 -in cert.pem -noout -modulus`" = \
 +         "`openssl rsa -in key.pem -noout -modulus`" ]; \
 +         then echo "Match"; else echo "Different"; fi
 +
 +
 +
 +An other way of doing the same is to make a md5 checksum.
 +
 +To calculate the md5 checksum of the modulus of the key in question, use the following command:
 +
 +<code>
 +openssl rsa -in /etc/ssl/ssl.key/default.key -modulus -noout | openssl md5
 +d5eddbb45275a3378dff01cb70868136
 +</code>
 +
 +To calculate the md5 checksum of the modulus of the certificate in question, use the following command:
 +
 +<code>
 +openssl x509 -in /etc/ssl/ssl.crt/default.crt -modulus -noout | openssl md5
 +b453c4304edec9cee0457a18bdb9f601
 +</code>
 +
 +Compare the output of the commands. If the output from both commands is the same, the certificate and private key are a matching pair. If the output does not match, the certificate and key are not a pair.
 +
 +Note: In the command and output examples used in this Solution, the checksums do not match; therefore, the certificate and key are not a pair.
 +
  
howtos/verify_a_certificate_matches_a_private_key.txt · Last modified: 02/12/2018 21:34 by 127.0.0.1