[openssl-users] Check private key/certificate match
Viktor Dukhovni
openssl-users at dukhovni.org
Sun Jan 18 18:02:20 UTC 2015
On Sat, Jan 17, 2015 at 11:56:42AM +0300, Dmitry Belyavsky wrote:
> Is there any simple way to check that the private key matches the
> certificate using command line utility? Now I use pair of smime -sign/smime
> -verify commands.
Depends on what you call "simple".
certspkihash=$(
openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02X"'
)
keyspkihash=$(
openssl pkey -in key.pem -pubout -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02X"'
)
if [ "$certspkihash" != "$keyspkihash" ]; then
# Error key and cert don't match
echo "The sky is falling" >&2
exit 1
fi
# Good, key and cert match ...
Obviously if the private key is password protected you'll
be prompted for that password.
The above does not involve any signatures, just compares
the SHA2-256 digest of the public key in the certificate
with the SHA2-256 digest of the public part of the key.
AFAIK there is not a single command that does this at present.
--
Viktor.
More information about the openssl-users
mailing list