Compare SSL certificate and key matches with OpenSSL

This tutorial will show you how to compare SSL certificate and key matches using Open SSL. The original example is from ‘SSL/TLS Strong Encryption: FAQ’ where is answered the question: How do I verify that a private key matches its Certificate?
Sometimes clients that I am working it, request their certificates in order to move a site to different server.
For example when a customer’s business is grown up and he is moving their site from Shared Hosting to Dedicated Hosting. Then it appears that the last guy who used to install the certificate and forgot to leave it in the server certificate repository. Or just a key is left without actual date and the certificate has to be extracted for example from PFX file as in Extract SSL certificate and key from PFX file.

Anyway in case you have a situation and you are not sure whether certificate and key match, whit the next command using OpenSLL you can find out.
Open SSL can be downloaded and installed from a Linux server repository, or the source can be taken from here: OpenSSL. Also you can use the Windows version: OpenSSL for Windows.
To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers provided after the execution of the OpenSSL command:

  1. $ openssl x509 -noout -text -in certificate_file.crt
  2.  
  3. $ openssl rsa -noout -text -in key_file.key

The output of the OpenSSL certificate and key compare command will be similar to this:

  1. $ openssl x509 -noout -modulus -in certificate_file.crt
  2. Modulus=BEA7A00E88404282986CD16ABBB1682D0A3CB5C7C8A33CC4780FC536BFE43D7018A39732BBF5A4358A034C86A84DE4C8554AAC899FFD1E973581D806417AFA6DFC13674129477107CB2E51129E0878DA57B99EEFB408EBC92F94CA8609A0BC43D85FA8BB02F55D5B7372CFCE430D86FC530233FF757056A93B53A2B8FCCEC975
  3. $ openssl rsa -noout -modulus -in key_file.key
  4. Modulus=BEA7A00E88404282986CD16ABBB1682D0A3CB5C7C8A33CC4780FC536BFE43D7018A39732BBF5A4358A034C86A84DE4C8554AAC899FFD1E973581D806417AFA6DFC13674129477107CB2E51129E0878DA57B99EEFB408EBC92F94CA8609A0BC43D85FA8BB02F55D5B7372CFCE430D86FC530233FF757056A93B53A2B8FCCEC975

Since the above output is rather big, you can use MD5 function and to make the key and the certificate output shorter.

  1. $ openssl x509 -noout -modulus -in certificate_file.crt | openssl md5
  2. $ openssl rsa -noout -modulus -in key_file.key | openssl md5

In can you need to see weather SSL key and CSR match you can use this command:

  1. $ openssl req -noout -modulus -in csr_file.csr | openssl md5

Tags

Filed Under: SSL

Anthony Gee About the Author: Anthony G. is an IT specialist with more than 9 years of solid working experience in the Web Hosting industry. Currently works as server support administrator, involved in consultative discussions about Web Hosting and server administration. One of the first writers in the Onlinehowto.net website, now writing for Free Tutorials community - he is publishing tutorials and articles for the wide public, as well as specific technical solutions.

Comments (4)

  1. Goody says:

    HI,

    How I can generate SSL key and csr?

  2. Tonny says:

    $ openssl genrsa -des3 -rand source1:source2:source3:…source10 -out http://www.yourdomain.com.key 2048

    openssl req -new -key http://www.yourdomain.com.key -out http://www.yourdomain.com.csr

    “source” is any big file on your box

  3. Henry Ford says:

    Thanks for the csr generation string!

  4. Monika says:

    Perfect tutorial. Thanks for this directions!

Leave a Reply