openssl: How to check that a certificate matches a private key

2 min read

If we try to install a certificate on a service but we install an incorrect private key, the service will fail, most likely, with some cryptic message. But, how do we make sure that a certificate has been generated using the correct private key? Checking the modulus of each one can help verifying this

Using the -modulus flag we can retrieve it:

# openssl x509 -noout -modulus -in cert.crt
Modulus=BBD61C1C450F149AEBFA88A7316CE5F8884E0934B506F6ADC018765AFD71846E30FF3109321E369FDD205E7831ECF21428357942DA215248DAE45513528BAC9348B1F0E45A050C0F1BAF192FFD6CCF52F959858FC74BE09D148ECD7828865A3793861706598D3CB9263CCBE7D5358E7AD3DE5AF1D88F070073B82FA31D42B1A04BC92EEFD2F102CEE44F690EAC57BF9E364B5453241FA7B410CB10BF4F53CCFAF55C4AC56D9659A6778BB3C8CFD4B6F96C77FBABA54A09A1A630080E78AF391C0888A7F5612437C570F3EAB85AC8D6BE8270612EEAFF9709134C35C3D3F03F25B54CFF91A771FB8B080FFEC40ECFEAD411AB9AA687365D08013EB62487246741

It's a long string, so it's much easier to just use md5sum to be able to compare a shorter string:

# openssl x509 -noout -modulus -in cert.crt | md5sum
f690ee90bd84ef94d307ad4184c5098f  -

We can get the modulus of all the files that need to match:

  • The SSL certificate:
openssl x509 -noout -modulus -in certificate.crt | md5sum
  • It's private key:
openssl rsa -noout -modulus -in privateKey.key | md5sum
  • We can also get the modulus from a CSR file (Certificate Signing Request):
openssl req -noout -modulus -in CSR.csr | md5sum

All three outputs must match meaning that using the private key a CSR file was generated that in turn was handed to a CA to generate the certificate. If a file was misplaced during this process we will be able to check it


Posted on 13/07/2021

Categories