How To Tell If A TLS Certificate And Key Match

image courtesy of pixabay.com

I’ve lost track how many times someone has come wandering up to me with a bunch of private keys and a cert and thrown it all at me saying “I dunno which key was used!”. The slow way to figure that out is to put them into your web server config and see if it starts. The easier way is to use openssl.

Assuming the certificate is in $CERTFILE and the key is in $KEYFILE, these two openssl commands will extract the modulus out of each:

$ openssl x509 -noout -modulus -in $CERTFILE | openssl md5 415141d4539494dc1ccfc155b3216013

$ openssl rsa -noout -modulus -in $KEYFILE | openssl md5 415141d4539494dc1ccfc155a3216013

If the moduluses (moduli?) match, then you can be pretty sure that is the key that goes with this cert.

my shorter content on the fediverse: https://the.mayhem.academy/@jdw

---