How to Verify if a CSR, Private Key, and Certificate Match Using OpenSSL

When working with SSL/TLS certificates, ensuring that the Certificate Signing Request (CSR), private key, and certificate match is crucial. This verification can help you avoid issues during certificate installation and ensure that the SSL/TLS setup is secure and functioning correctly.

In this guide, we'll walk through the steps to verify whether a CSR, private key, and certificate match using OpenSSL. We'll use example filenames like example.com.csr, example_private.key, and example_com.crt.

Prerequisites

Step 1: Verify CSR and Private Key Match

To verify if the CSR matches the private key, you need to compare the modulus of both files. The modulus is a unique value that should be identical for both the CSR and the private key if they are correctly paired.

For the CSR example.com.csr and the private key example_private.key, run the following commands:



openssl req -noout -modulus -in example.com.csr | openssl md5

openssl rsa -noout -modulus -in example_private.key | openssl md5


The openssl req command extracts the modulus from the CSR, and the openssl rsa command extracts the modulus from the private key. Both outputs are then hashed using openssl md5 to make the comparison easier.

Expected Result

If the CSR and private key match, both commands will output the same MD5 hash. If the outputs differ, the CSR and private key do not match, and you may need to generate a new CSR using the correct private key.

Step 2: Verify Certificate and Private Key Match

Next, you should verify that the certificate matches the private key. This ensures that the certificate was generated using the correct private key.

For the certificate example_com.crt and the private key example_private.key, run the following commands:


openssl x509 -noout -modulus -in example_com.crt | openssl md5

openssl rsa -noout -modulus -in example_private.key | openssl md5


The openssl x509 command extracts the modulus from the certificate, and the openssl rsa command extracts the modulus from the private key.

Expected Result

If the certificate and private key match, both commands will output the same MD5 hash. If the outputs differ, the certificate and private key do not match, and you may need to obtain the correct certificate.

Step 3: Verify CSR and Certificate Match

Lastly, you can compare the details between the CSR and the certificate to verify that they match. While this step is optional, it provides additional confirmation that the CSR and certificate are correctly aligned.

For the CSR example.com.csr and the certificate example_com.crt, run the following commands:


openssl req -noout -text -in example.com.csr

openssl x509 -noout -text -in example_com.crt


Compare the Subject and Public Key fields in both outputs. They should be identical if the CSR and certificate match.

Expected Result

If the CSR and certificate match, the Subject and Public Key fields will be the same. If there are discrepancies, the CSR and certificate may not match, and you should investigate further.

Conclusion

Verifying that your CSR, private key, and certificate match is a crucial step in ensuring a smooth SSL/TLS setup. By following the steps outlined above, you can easily confirm that all three components are properly aligned.

Using OpenSSL, you can quickly check the integrity of your SSL/TLS certificates and avoid common pitfalls during certificate installation. Whether you're managing SSL/TLS for a website, application, or other service, these verification steps will help you ensure everything is configured correctly.

Example Commands Recap

For quick reference, here's a recap of the commands used:

Verify CSR and Private Key:


openssl req -noout -modulus -in example.com.csr | openssl md5

openssl rsa -noout -modulus -in example_private.key | openssl md5


Verify Certificate and Private Key:

openssl x509 -noout -modulus -in example_com.crt | openssl md5

openssl rsa -noout -modulus -in example_private.key | openssl md5


Verify CSR and Certificate:

openssl req -noout -text -in example.com.csr

openssl x509 -noout -text -in example_com.crt


By following these steps, you'll be confident that your SSL/TLS setup is secure and correctly configured. Happy securing.