Verify that an OpenSSL Private Key Matches a Certificate

OpenSSL

OpenSSL is a software library for applications that secure communications over computer networks. This article mentions about precise steps to verify an OpenSSL key against a certificate.


Topic

  • How to verify an OpenSSL key against a certificate?
  • Verify a SSL key matches a certificate
  • Verifying an OpenSSL key matches a certificate

apt

  • Linux

Topic


For example we have a certificate file called cert.pem and a key file called key.pem. There are two methods for validation.

  1. Verify using key and certificate component
  2. Verify using MD5 SUM of the certificate and key file
Step 1 – Verify using key and certificate component

Openssl private key contains several modules or a series of numbers. In order to verify the private key matches the certificate check the following two sections in the private key file and public key certificate file. If they match validation is successful.

  • Subject Public Key Info: from certificate file
  • Private-Key: from key file

To open the certificate and key file execute the following commands.

$ openssl x509 -noout -text -in cert.pem
$ openssl rsa -noout -text -in key.pem

Example:

# openssl x509 -in cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            cc:98:00:de:ee:d9:82:60
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IN, ST=Maharashtra, L=Pune, O=Test Domain CA Inc., OU=Pune, CN=www.testdomain.com
        Validity
            Not Before: Nov  8 08:06:35 2019 GMT
            Not After : Aug  4 08:06:35 2022 GMT
        Subject: C=IN, ST=Maharashtra, L=Pune, O=Test Domain CA Inc., OU=Pune, CN=www.testdomain.com
        Subject Public Key Info:  <<Match>>>
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus: 
                    00:b3:b4:7e:a8:e5:23:fc:f6:13:fd:95:5a:0e:8e:
                    33:38:f6:36:e8:87:d0:6b:b5:f2:fb:96:0a:6c:5e:
                    bf:7c:46:7a:90:35:5b:b1:41:92:71:c4:1e:d5:25:
                    00:d1:29:ad:77:76:89:d6:4c:e4:74:09:73:e4:2c:
                    90:43:50:30:db:17:15:dd:40:9a:e3:b9:aa:9b:b7:
                    ee:b3:36:ef:4a:17:89:da:63:60:0b:bf:22:00:eb:
                    13:ce:42:42:a2:ec:92:94:97:5b:d1:4d:11:7d:e5:
                    33:29:9b:3a:f9:f6:84:5f:1d:66:e3:2b:95:7e:18:
                    c8:b0:4a:fd:c8:83:f9:03:05
                Exponent: 65537 (0x10001)
       [...........]

# openssl rsa -in key.pem -text -noout
Private-Key: (1024 bit)      <<Match>>>
modulus:  
    00:b3:b4:7e:a8:e5:23:fc:f6:13:fd:95:5a:0e:8e:
    33:38:f6:36:e8:87:d0:6b:b5:f2:fb:96:0a:6c:5e:
    bf:7c:46:7a:90:35:5b:b1:41:92:71:c4:1e:d5:25:
    00:d1:29:ad:77:76:89:d6:4c:e4:74:09:73:e4:2c:
    90:43:50:30:db:17:15:dd:40:9a:e3:b9:aa:9b:b7:
    ee:b3:36:ef:4a:17:89:da:63:60:0b:bf:22:00:eb:
    13:ce:42:42:a2:ec:92:94:97:5b:d1:4d:11:7d:e5:
    33:29:9b:3a:f9:f6:84:5f:1d:66:e3:2b:95:7e:18:
    c8:b0:4a:fd:c8:83:f9:03:05
publicExponent: 65537 (0x10001)
[...........]

Validation:
The modulus in Public Key Algorithm of public certificate matches the modules in Private-Key section of the private key file.

Step 2 – Verify using MD5 SUM of the certificate and key file

Execute the following commands and validate that md5 sum is same for private key and public key certificate file.

# openssl x509 -noout -modulus -in cert.pem | openssl md5
(stdin)= 54cf59275d0c8d450eb9feb5520d4837  <<Match>>>

# openssl rsa -noout -modulus -in key.pem | openssl md5
(stdin)= 54cf59275d0c8d450eb9feb5520d4837 <<Match>>>

Validation:
Output from the above two commands confirms that key matches the certificate.

You May Also Like

About the Author: Rajesh

Leave a Reply

Your email address will not be published. Required fields are marked *