Home » Categories » Linux

OpenSSL: Check If Private Key Matches SSL Certificate & CSR

Article Number: 491 | Rating: Unrated | Last Updated: Mon, Feb 18, 2019 3:56 PM

When you are dealing with lots of different SSL Certificates, it is quite easy to forget which certificate goes with which Private Key.

Or, for example, which CSR has been generated using which Private Key.

From the Linux command line, you can easily check whether an SSL Certificate or a CSR match a Private Key using the OpenSSL utility.

To make sure that the files are compatible, you can print and compare the values of the SSL Certificate modulus, the Private Key modulus and the CSR modulus.

Cool Tip: Check the expiration date of the SSL Certificate from the Linux command line! The fastest way! Read more →

Check Compatibility

 

When you create a Private Key and CSR to obtain an SSL Certificate, OpenSSL generates some internal data called a modulus.

 

OpenSSL stores the modulus in the Private Key, as well as in the CSR and therefore in the SSL Certificate itself.

If you are using either the incorrect Private Key or the SSL Certificate – you will receive an error as follows: [error] Unable to configure RSA server Private Key [error] SSL Library Error: x509 certificate routines:X509_check_private_key:key values mismatch.

So if you got the similar error – it is time to check whatever your Private Key matches the SSL Certificate by comparing their modulus.

[Error] … key values mismatch: Your Private Key and SSL Certificate must contain the same modulus, otherwise the web-server won’t start.

Let’s print the values of the modulus of the Private Key, the SSL Certificate and the CSR with the conversion of them to md5 hashes to make the comparison more convenient.

Print the md5 hash of the SSL Certificate modulus:

$ openssl x509 -noout -modulus -in CERTIFICATE.crt | openssl md5

Print the md5 hash of the CSR modulus:

$ openssl req -noout -modulus -in CSR.csr | openssl md5

Print the md5 hash of the Private Key modulus:

$ openssl rsa -noout -modulus -in PRIVATEKEY.key | openssl md5

Cool Tip: Check the quality of your SSL certificate! Find out its Key length from the Linux command line! Read more →

If the md5 hashes are the same, then the files (SSL Certificate, Private Key and CSR) are compatible.
Posted - Mon, Feb 18, 2019 3:56 PM. This article has been viewed 2671 times.
Filed Under: Linux
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Tunnel SSH Connections Over SSL Using ‘Stunnel’ On Debian 7 / Ubuntu 13.10
Viewed 2807 times since Fri, Sep 28, 2018
A Quick and Practical Reference for tcpdump
Viewed 12018 times since Fri, Jul 27, 2018
Linux Audit The Linux security blog about Auditing, Hardening, and Compliance lynis
Viewed 1756 times since Thu, Jan 16, 2020
zabbix linux How to solve apache error No space left on device: Cannot create SSLMutex
Viewed 2008 times since Wed, Nov 11, 2020
awk printf
Viewed 14393 times since Wed, Aug 19, 2020
How To: Linux Hard Disk Encryption With LUKS [ cryptsetup Command ]
Viewed 7015 times since Fri, Jul 13, 2018
Understanding System auditing with auditd
Viewed 8985 times since Fri, Apr 5, 2019
RHEL: Enabling standard ftp/telnet
Viewed 2722 times since Sun, May 27, 2018
Fedora 32: Simple Local File-Sharing with Samba CIFS Linux
Viewed 8413 times since Sun, Dec 6, 2020
RHEL: Force system to prompt for password in Single User mode
Viewed 6520 times since Sat, Jun 2, 2018