Check If A Certificate & Private Key Match

Check if an SSL certificate and private key match in two simple commands. The OpenSSL commands below will require you to replace <file> with your file’s name.

For your SSL certificate:¹

openssl x509 -noout -modulus -in <file> | md5sum

For your RSA private key:

openssl rsa -noout -modulus -in <file> | md5sum

The output of these commands should be identical. If it isn’t, your keys do not match.

The pipe to md5sum is solely to make the output shorter and easier to visually compare ↩

crypto, openssl, x509

Print article

This entry was posted by Paul Kehrer on October 5, 2009 at 9:52 am, and is filed under Posts. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Comments (1)

#1 written by Anoop
about 5 months ago

Hey, this is a good one to keep handy. Just wanted to mention to your readers that -modulus for both ‘x509′ and ‘rsa’ applications in openssl prints the RSA key modulus and even those values can be compared to confirm a match. The pipe to md5sum/sha1sum simply help make things easier when visually comparing.

Good one!

No trackbacks yet.

Parsing A CRL With OpenSSL

about 2 months ago - No comments

Short and sweet. This command will give you a list of revoked serial numbers:

openssl crl -inform DER -text -noout -in mycrl.crl

Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor. More >

OpenSSL and IDN Certificates

about 2 months ago - No comments

As internationalized domain names (IDN) proliferate more people need to test with, and ultimately purchase, IDN certificates. If you need to generate a CSR or even a self-signed certificate for an internationalized domain follow these steps:

Take the UTF-8 characters and paste them into a punycode converter (also known as ASCII compatible encoding, or ACE).
The More >

Find A Matching Certificate And Key Pair

about 4 months ago - No comments

If you have a list of keys and SSL certs and don’t know which cert belongs with which key, here’s a script for you. It’s not efficient (nested for loop!), but it gets the job done quickly.1

#!/bin/bash
for i in `ls *.key`
do
key_mod=`openssl rsa -noout -in $i -modulus`
for j in `ls *.cer`
do
x509_mod=`openssl x509 -noout -in More >

Create A 2048-bit Key Via OpenSSL

about 4 months ago - No comments

We are fast approaching the date where NIST has recommended that end entities stop utilizing 1024-bit private keys. OpenSSL, however, currently defaults to creating 1024-bit keypairs. To create a 2048-bit private key and corresponding CSR (which you can send to a certificate authority to obtain your SSL certificate):

openssl req -new -nodes -newkey rsa:2048 -keyout More >

Firefox Autoenrollment With A Microsoft CA

about 11 months ago - No comments

If you’re running a Microsoft CA and you want to be able to accept enrollment requests from clients supporting keygen (Firefox, Safari, Opera, et cetera) you’ve probably found that the /certsrv/ page allows enrollment, but the requests fail when you attempt to issue the certificate. This is because the server is not parsing the subject More >

Using OpenSSL s_time

about 11 months ago - No comments

Recently I needed to do some performance testing of an SSL instance on a VM. I considered using JMeter, but decided to use OpenSSL to get a rudimentary picture instead.
To obtain a basic result, we connect to the server and pull the /index.php file. You can specify whatever file you’d like to download, More >

RSA Encryption and Signing

about 11 months ago - 1 comment

OpenSSL provides several tools that allow you to RSA encrypt/sign arbitrary data files. Of course, directly RSA encrypting large volumes of data is impractical because the encrypted/signed data cannot exceed the size of the key material. This is one of the reasons why SSL connections typically handshake and then pass an AES (or More >

Creating a PKCS7 (P7B) Using OpenSSL

about 11 months ago - No comments

Continuing the howto nature of this blog (and its peculiar obsession with OpenSSL), here’s a primer on packaging an arbitrary number of certificates into a single PKCS7 container. These files are quite useful for installing multiple certificates on Windows servers. They differ from PKCS12 (PFX) files in that they can’t store private keys. More >

Checking A Remote Certificate Chain With OpenSSL

about 12 months ago - 1 comment

If you deal with SSL/TLS long enough you will run into situations where you need to examine what certificates are being presented by a server to the client. The best way to examine the raw output is via (what else but) OpenSSL.1
First let’s do a standard webserver connection (-showcerts dumps the PEM encoded certificates More >

Generating (Very) Large Primes

about 1 year ago - No comments

Have you ever wondered how big the “large primes” that RSA encryption is based on really are? What exactly does a “1024-bit” key mean anyway? And if the difficulty of RSA is partially based on factoring large numbers, how do we create these large primes without determining primality via factorization?
The easiest way to More >

Check If A Certificate & Private Key Match

No trackbacks yet.

Parsing A CRL With OpenSSL

OpenSSL and IDN Certificates

Find A Matching Certificate And Key Pair

Create A 2048-bit Key Via OpenSSL

Firefox Autoenrollment With A Microsoft CA

Using OpenSSL s_time

RSA Encryption and Signing

Creating a PKCS7 (P7B) Using OpenSSL

Checking A Remote Certificate Chain With OpenSSL

Generating (Very) Large Primes

Fidgetr – Favorites

Fidgetr – Latest

Archives