65 cards
Posted about 6 years ago. Visible to the public. Linked content.

HowTo: verify SSL private key matches SSL certificate

When receiving a new SSL-Certificate for an existing SSL-key it should be checked that they match cryptographically.
Maybe the customer accidentally created a new key and certificate and sent us just the certificate.

It's also possible that the certificate chain is in the wrong order. Make sure that the server certificate is the first. This is also necessary for nginx.

It is recommended to pipe the public keys of both files through an hashing algorithm, to easier identify differences. Instead of comparing the modulus the same syntax applies to RSA and ECDSA certificates:

openssl pkey -pubout -in server.key | openssl sha1

openssl req -pubkey -noout -in server.csr | openssl sha1

openssl x509 -pubkey -noout -in server.crt | openssl sha1

If they match, the resulting hash will be identical:

$ openssl pkey -pubout -in your-domain.de.key | openssl sha1 (stdin)= 559bd107c03237891a468f2c3dcbb0a47035e797 $ openssl x509 -pubkey -noout -in your-domain.de.crt | openssl sha1 (stdin)= 559bd107c03237891a468f2c3dcbb0a47035e797


You can also use the graphical tool XCA.

By refactoring problematic code and creating automated tests, makandra can vastly improve the maintainability of your Rails application.

Owner of this card:

Marius Schuller
Last edit:
10 months ago
by Andreas Vöst
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
This website uses short-lived cookies to improve usability.
Accept or learn more