When dealing with SSL certificates, it's critical to ensure that the private key matches the certificate signing request (CSR). Mismatched keys can lead to issues during the certificate signing process. This tutorial demonstrates how to check if private key matches CSR using OpenSSL.
Suppose we have the following private key and CSR:
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA3+i8CaGg06cTZWgl
5S6ekQH4LBPI9sojxWdD6strvmuIG2Z9isZ1QPwK/+n6KgvzrHBK9f4dheeQ998R
dzsiVQIDAQABAkA3eyS0wj7mkvykYPUa371csv86dMCUHixU6qySjkspSGcvdqNQ
UuAfRJ97n8m8wkNSHhF2HIWH2lPdC/MsZX/VAiEA8QLAZXzsUiEIQ04enLZRq0cv
YkD8mLyXVpT56ZrdEDsCIQDt1bMedIH1kCcAvg4PHAugXw1NeJSvpOpUqOyPwmB+
rwIhAJDhq5EW4OWaT+JOAt8IRt4k49o34OFcdcmpsvZ4jy3jAiA7n+2N3wuNspv0
lbEUnKVViT7egzJTbnbIzqivyb1DRQIhAKbr3cYY4mk0HKFQg3oEhWi2stSPulYz
KNkxLcXmqXjr
-----END PRIVATE KEY----------BEGIN CERTIFICATE REQUEST-----
MIIBEjCBvQIBADBYMQswCQYDVQQGEwJVUzEVMBMGA1UECgwMVGVzdCBDb21wYW55
MR8wHQYDVQQLDBZUZXN0IE9yZ2FuaXphdGlvbiBVbml0MREwDwYDVQQDDAh0ZXN0
LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDf6LwJoaDTpxNlaCXlLp6RAfgs
E8j2yiPFZ0Pqy2u+a4gbZn2KxnVA/Ar/6foqC/OscEr1/h2F55D33xF3OyJVAgMB
AAGgADANBgkqhkiG9w0BAQsFAANBAJRxakTyEWryLsJTzAJ3tamrqDkaKIaC1BDF
SlF6CaiZgoDBWUuF+CAl566jbsRbj4H5jkfFdo/e9LYzorlmEA8=
-----END CERTIFICATE REQUEST-----The private key and CSR should contain the same modulus. Use the following command to get the MD5 hash of the private key modulus:
openssl rsa -noout -modulus -in test.key | openssl md5Next, display the MD5 hash of the CSR modulus:
openssl req -noout -modulus -in test.csr | openssl md5In this case, both commands provide identical MD5 hashes, confirming that the private key corresponds to the CSR.
(stdin)= 49ca6d1ddd0e407f0a3a9065cbc41702The meaning of options:
-noout- ensures that the output does not contain an encoded version of the private key or CSR.-modulus- outputs the value of the modulus.-in test.key- defines the file from which to read the private key.-in test.csr- defines the file from which to read the CSR.
Leave a Comment
Cancel reply