Bash – How to find out if an OpenSSL certificate was created by a certain private key

bashopensslprivate-keyssl-certificate

I have an OpenSSl certificate. I also need the private key. I was told it is located somewhere on the server, and true enough, I found multiple SSL key files.

Before I try them all by brute force: Is there a way I can find out on terminal if a private key was used to create the certificate?

Best Answer

The classic reference for this is this FAQ in the online Apache docs.

In that document, an md5 of the modulus is used because

As the public exponent is usually 65537 and it's difficult to visually check that the long modulus numbers are the same, you can use the following approach

This gives:

$ openssl rsa -noout -modulus -in key.pem.decrypted | openssl md5
(stdin)= 9fxxfoobar558d9xx0045a89467d2bxx

$ openssl x509 -noout -modulus -in crt.pem | openssl md5
(stdin)= 9fxxfoobar558d9xx0045a89467d2bxx

I'm proposing the use of process substitution to avoid visual comparison of the modulus:

$ diff \ 
    <(openssl x509 -noout -modulus -in cert.pem) \
    <(openssl rsa -noout -modulus -in key.pem.decrypted)

If the output is empty, the private key matches the certificate.

This is just a more convenient way to compare the strings than the one in Andrew Schulman's answer, which is, of course, also valid.

Another reference here.

Related Topic