Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[openssl-users] Check private key/certificate match
4 views
Skip to first unread message
Dmitry Belyavsky
Jan 17, 2015, 3:59:36 AM1/17/15
to
Hello,
--
is there any simple way to check that the private key matches the certificate using command line utility? Now I use pair of smime -sign/smime -verify commands.
If there is no such a way, please consider this letter as a feature request :-)
Thank you!
SY, Dmitry Belyavsky
Viktor Dukhovni
Jan 18, 2015, 1:05:22 PM1/18/15
to
On Sat, Jan 17, 2015 at 11:56:42AM +0300, Dmitry Belyavsky wrote:
> Is there any simple way to check that the private key matches the
certspkihash=$(
openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02X"'
)
keyspkihash=$(
openssl pkey -in key.pem -pubout -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02X"'
)
if [ "$certspkihash" != "$keyspkihash" ]; then
# Error key and cert don't match
echo "The sky is falling" >&2
exit 1
fi
# Good, key and cert match ...
Obviously if the private key is password protected you'll
be prompted for that password.
The above does not involve any signatures, just compares
the SHA2-256 digest of the public key in the certificate
with the SHA2-256 digest of the public part of the key.
AFAIK there is not a single command that does this at present.
--
Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> Is there any simple way to check that the private key matches the
> certificate using command line utility? Now I use pair of smime -sign/smime
> -verify commands.
Depends on what you call "simple".
> -verify commands.
certspkihash=$(
openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02X"'
)
keyspkihash=$(
openssl pkey -in key.pem -pubout -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02X"'
)
if [ "$certspkihash" != "$keyspkihash" ]; then
# Error key and cert don't match
echo "The sky is falling" >&2
exit 1
fi
# Good, key and cert match ...
Obviously if the private key is password protected you'll
be prompted for that password.
The above does not involve any signatures, just compares
the SHA2-256 digest of the public key in the certificate
with the SHA2-256 digest of the public part of the key.
AFAIK there is not a single command that does this at present.
--
Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
0 new messages