
OpenSSL is a software library for applications that secure communications over computer networks. This article mentions about precise steps to verify an OpenSSL key against a certificate.
Topic
- How to verify an OpenSSL key against a certificate?
- Verify a SSL key matches a certificate
- Verifying an OpenSSL key matches a certificate
apt
- Linux
Topic
For example we have a certificate file called cert.pem
and a key file called key.pem
. There are two methods for validation.
- Verify using key and certificate component
- Verify using
MD5 SUM
of the certificate and key file
Step 1 – Verify using key and certificate component
Openssl private key contains several modules or a series of numbers. In order to verify the private key matches the certificate check the following two sections in the private key file and public key certificate file. If they match validation is successful.
- Subject Public Key Info: from certificate file
- Private-Key: from key file
To open the certificate and key file execute the following commands.
$ openssl x509 -noout -text -in cert.pem
$ openssl rsa -noout -text -in key.pem
Example:
# openssl x509 -in cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cc:98:00:de:ee:d9:82:60
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IN, ST=Maharashtra, L=Pune, O=Test Domain CA Inc., OU=Pune, CN=www.testdomain.com
Validity
Not Before: Nov 8 08:06:35 2019 GMT
Not After : Aug 4 08:06:35 2022 GMT
Subject: C=IN, ST=Maharashtra, L=Pune, O=Test Domain CA Inc., OU=Pune, CN=www.testdomain.com
Subject Public Key Info: <<Match>>>
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b3:b4:7e:a8:e5:23:fc:f6:13:fd:95:5a:0e:8e:
33:38:f6:36:e8:87:d0:6b:b5:f2:fb:96:0a:6c:5e:
bf:7c:46:7a:90:35:5b:b1:41:92:71:c4:1e:d5:25:
00:d1:29:ad:77:76:89:d6:4c:e4:74:09:73:e4:2c:
90:43:50:30:db:17:15:dd:40:9a:e3:b9:aa:9b:b7:
ee:b3:36:ef:4a:17:89:da:63:60:0b:bf:22:00:eb:
13:ce:42:42:a2:ec:92:94:97:5b:d1:4d:11:7d:e5:
33:29:9b:3a:f9:f6:84:5f:1d:66:e3:2b:95:7e:18:
c8:b0:4a:fd:c8:83:f9:03:05
Exponent: 65537 (0x10001)
[...........]
# openssl rsa -in key.pem -text -noout
Private-Key: (1024 bit) <<Match>>>
modulus:
00:b3:b4:7e:a8:e5:23:fc:f6:13:fd:95:5a:0e:8e:
33:38:f6:36:e8:87:d0:6b:b5:f2:fb:96:0a:6c:5e:
bf:7c:46:7a:90:35:5b:b1:41:92:71:c4:1e:d5:25:
00:d1:29:ad:77:76:89:d6:4c:e4:74:09:73:e4:2c:
90:43:50:30:db:17:15:dd:40:9a:e3:b9:aa:9b:b7:
ee:b3:36:ef:4a:17:89:da:63:60:0b:bf:22:00:eb:
13:ce:42:42:a2:ec:92:94:97:5b:d1:4d:11:7d:e5:
33:29:9b:3a:f9:f6:84:5f:1d:66:e3:2b:95:7e:18:
c8:b0:4a:fd:c8:83:f9:03:05
publicExponent: 65537 (0x10001)
[...........]
Validation:
The modulus in Public Key Algorithm of public certificate matches the modules in Private-Key section of the private key file.
Step 2 – Verify using MD5 SUM of the certificate and key file
Execute the following commands and validate that md5 sum is same for private key and public key certificate file.
# openssl x509 -noout -modulus -in cert.pem | openssl md5
(stdin)= 54cf59275d0c8d450eb9feb5520d4837 <<Match>>>
# openssl rsa -noout -modulus -in key.pem | openssl md5
(stdin)= 54cf59275d0c8d450eb9feb5520d4837 <<Match>>>
Validation:
Output from the above two commands confirms that key matches the certificate.