HowTo: verify SSL private key matches SSL certificate

When receiving a new SSL-Certificate for an existing SSL-key it should be checked that they match cryptographically.
Maybe the customer accidentally created a new key and certificate and sent us just the certificate.

It's also possible that the certificate chain is in the wrong order. Make sure that the server certificate is the first. This is also necessary for nginx.

It is recommended to pipe the Modulus of both files through an hashing algorithm, to easier identify differences like so:

openssl rsa -noout -modulus -in server.key | openssl md5

openssl req -noout -modulus -in server.csr | openssl md5

openssl x509 -noout -modulus -in server.crt |openssl md5

If they match, the resulting hash will be identical:

$ openssl rsa -noout -modulus -in | openssl md5
(stdin)= 26e3e1395d3f43d6adeb9d004d02f254

$ openssl x509 -noout -modulus -in | openssl md5
(stdin)= 26e3e1395d3f43d6adeb9d004d02f254


You can also use the graphical tool XCA.

Marius Schuller over 4 years ago
This website uses short-lived cookies to improve usability.
Accept or learn more