Check If Private Key Matches SSL Certificate using OpenSSL

Check If Private Key Matches SSL Certificate using OpenSSL

When working with many different SSL certificates and private keys, it is easy to forget which certificate belongs to the private key. This tutorial shows how to check if the private key matches an SSL certificate using OpenSSL.

Let's say we have the following private key and certificate:

-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA3+i8CaGg06cTZWgl
5S6ekQH4LBPI9sojxWdD6strvmuIG2Z9isZ1QPwK/+n6KgvzrHBK9f4dheeQ998R
dzsiVQIDAQABAkA3eyS0wj7mkvykYPUa371csv86dMCUHixU6qySjkspSGcvdqNQ
UuAfRJ97n8m8wkNSHhF2HIWH2lPdC/MsZX/VAiEA8QLAZXzsUiEIQ04enLZRq0cv
YkD8mLyXVpT56ZrdEDsCIQDt1bMedIH1kCcAvg4PHAugXw1NeJSvpOpUqOyPwmB+
rwIhAJDhq5EW4OWaT+JOAt8IRt4k49o34OFcdcmpsvZ4jy3jAiA7n+2N3wuNspv0
lbEUnKVViT7egzJTbnbIzqivyb1DRQIhAKbr3cYY4mk0HKFQg3oEhWi2stSPulYz
KNkxLcXmqXjr
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICBzCCAbGgAwIBAgIUblsRRtsMLsqKSXHL3OeHVDTAaAkwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCVVMxFTATBgNVBAoMDFRlc3QgQ29tcGFueTEfMB0GA1UE
CwwWVGVzdCBPcmdhbml6YXRpb24gVW5pdDERMA8GA1UEAwwIdGVzdC5jb20wHhcN
MjIwNzE4MDEzMDMwWhcNMjMwNzE4MDEzMDMwWjBYMQswCQYDVQQGEwJVUzEVMBMG
A1UECgwMVGVzdCBDb21wYW55MR8wHQYDVQQLDBZUZXN0IE9yZ2FuaXphdGlvbiBV
bml0MREwDwYDVQQDDAh0ZXN0LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDf
6LwJoaDTpxNlaCXlLp6RAfgsE8j2yiPFZ0Pqy2u+a4gbZn2KxnVA/Ar/6foqC/Os
cEr1/h2F55D33xF3OyJVAgMBAAGjUzBRMB0GA1UdDgQWBBR01dWXvKnNVQl97YZP
vnpvtsFb7jAfBgNVHSMEGDAWgBR01dWXvKnNVQl97YZPvnpvtsFb7jAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EAOeLvRxxC+WnhnBaURnyhWM1aHP6j
WYXSGiQh6VA6vxoShAUFd56anAT7LfX6wJdnDJrtHkaK2zK6JM7mxqF79w==
-----END CERTIFICATE-----

Private key and SSL certificate should contain the same modulus. So run the following command to print the MD5 hash of the private key modulus:

openssl rsa -noout -modulus -in test.key | openssl md5

Then print the MD5 hash of the SSL certificate modulus:

openssl x509 -noout -modulus -in test.crt | openssl md5

In our case, both commands outputs the same MD5 hash. It means that private key matches SSL certificate.

(stdin)= 49ca6d1ddd0e407f0a3a9065cbc41702

The meaning of options:

  • -noout - specifies that an encoded version of the private key or certificate should not be included in output.
  • -modulus - prints the value of the modulus.
  • -in test.key - specifies the filename to read a private key.
  • -in test.crt - specifies the filename to read a certificate.

Leave a Comment

Cancel reply

Your email address will not be published.