openssl: How to check that a certificate matches a private key

2 min read

If we try to install a certificate on a service but we install an incorrect private key, the service will fail, most likely, with some cryptic message. But, how do we make sure that a certificate has been generated using the correct private key? Checking the modulus of each one can help verifying this

Using the -modulus flag we can retrieve it:

# openssl x509 -noout -modulus -in cert.crt

It's a long string, so it's much easier to just use md5sum to be able to compare a shorter string:

# openssl x509 -noout -modulus -in cert.crt | md5sum
f690ee90bd84ef94d307ad4184c5098f  -

We can get the modulus of all the files that need to match:

  • The SSL certificate:
openssl x509 -noout -modulus -in certificate.crt | md5sum
  • It's private key:
openssl rsa -noout -modulus -in privateKey.key | md5sum
  • We can also get the modulus from a CSR file (Certificate Signing Request):
openssl req -noout -modulus -in CSR.csr | md5sum

All three outputs must match meaning that using the private key a CSR file was generated that in turn was handed to a CA to generate the certificate. If a file was misplaced during this process we will be able to check it

Posted on 13/07/2021