[openssl-users] Check private key/certificate match

Viktor Dukhovni openssl-users at dukhovni.org
Sun Jan 18 18:02:20 UTC 2015

On Sat, Jan 17, 2015 at 11:56:42AM +0300, Dmitry Belyavsky wrote:

> Is there any simple way to check that the private key matches the
> certificate using command line utility? Now I use pair of smime -sign/smime
> -verify commands.

Depends on what you call "simple".

	    openssl x509 -in cert.pem -noout -pubkey |
	    openssl pkey -pubin -outform DER |
	    openssl dgst -sha256 -binary |
	    hexdump -ve '/1 "%02X"'
	    openssl pkey -in key.pem -pubout -outform DER |
	    openssl dgst -sha256 -binary |
	    hexdump -ve '/1 "%02X"'
    if [ "$certspkihash" != "$keyspkihash" ]; then
	# Error key and cert don't match
	echo "The sky is falling" >&2
	exit 1
    # Good, key and cert match ...

Obviously if the private key is password protected you'll
be prompted for that password.

The above does not involve any signatures, just compares
the SHA2-256 digest of the public key in the certificate
with the SHA2-256 digest of the public part of the key.

AFAIK there is not a single command that does this at present.


More information about the openssl-users mailing list