Check a certificate and a private key for a match

Ever wondered how to verify your private key with a certificate or CSR certificate?


All of the three server certificate, private key and CSR contain a specific value, which must be the same for the three to be sure that the private key is used for the CSR and this CSR is used to issue the server certificate. The value

public exponent

of private key and the

modulus

must have the same value.
If they differ by value you can be sure this private key cannot be used in pair with the server certificate you think! Because modulus value is really big number like:

Modulus=C8A1E76902325B4449BE964A7F1E4D16F263245A4487E24CF373631211AA719FB17A65091A8ADF4AFD174CE95A069EDAF0F2E0DA8DA7A8F2D525695BB1F1AE6C825085C60053726BD9966277FAF73179D5F0285F45271D6C728D1A8A36EA846CE20EF7188397A859FE3F2A4933EA13E3643BACA8FA9569FFAAE907CC3E416B08368E2D9297E16CC14E7B6B98A0AA0703D865152C37F089ABD2CB7FCC2C0319F8098CBBE02DAF09B4B262B5A6A7D9002A0D6275BF56B7F406FB03E169D00EADC6A20F0709B1240067AB82D5411A4535C21B0A6EB96B6D23ACC0103703F9816DF04370F4734CF75FBB206618A91245A1F975C411D3CFAE83B8AF1318E773BF9A15

We could pipe it to a md5 function to make it more human verifiable.

Here are the three simple commands to check if your private key matches the certificate or the CSR certificate:

STEP 1) check the private key

[root@srv@local ]# openssl rsa -noout -modulus -in server.key | openssl md5
(stdin)= f1fdd77a19d21999264a1267253c6acd

STEP 2) check modulus value of the certificate

[root@srv@local ]# openssl x509 -noout -modulus -in server.crt | openssl md5
(stdin)= f1fdd77a19d21999264a1267253c6acd

STEP 3) check modulus value of the CSR

[root@srv@local ]# openssl req -noout -modulus -in server.csr | openssl md5
(stdin)= f1fdd77a19d21999264a1267253c6acd

If the three values are the same, you can use this pair of private key and certificate in your web (or whatever) server. It also means you can use this CSR to issue a server certificate and then use the pair this private key and the new server certificate!

* nginx web server reports error using not matching pair of private key and certificate:

[root@srv@local ]# nginx -t
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/nginx/server.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

And if you issue a restart command you’ll end up without working web server.

* Apache also reports an error in the error log (probably your ssl error log) and do not start:

[Tue Mar 06 03:37:39.378436 2014] [ssl:emerg] [pid 8182] AH02565: Certificate and private key localhost:443:0 from /etc/ssl/apache2/server.crt and /etc/ssl/apache2/server.key do not match

the default error log reports only configuration error:

AH00016: Configuration Failed

And strangely but apache2ctl reports no error!

 apache2ctl configtest
 * Checking apache2 configuration ...                                                                                          [ ok ]

SO always verify the private key and server certificate before issuing a restart of the service it depends on them!

Leave a Reply

Your email address will not be published. Required fields are marked *