Verifying that a private key and certificate match

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Verifying that a private key and certificate match

Mark H. Wood
Is there a built-in command in the openssl utility which can verify
that a private key and a certificate represent a valid keypair?  Or is
there some simple way to determine this using other built-in commands?

--
Mark H. Wood, Lead System Programmer   [hidden email]
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.


attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Using Engine interface in openssl to interface with Crypto Hardware

Roy, Anindya (Anindya)

Has anybody used the Engine interface in the openssl to integrate with
FreeScale PowerPC Quicc III 8548E ?
Any pointers or info in this regard will be of great help.

Thanks,

Cheers
Anindya
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Verifying that a private key and certificate match

juliusdavies
In reply to this post by Mark H. Wood
RSA keypair, right?  If so, compare that the modulus of both the
certificate and the private key is equal.  These two commands do the
trick:

openssl x509 -in cert.pem -modulus -noout

openssl rsa -in rsa.pem -modulus -noout


If on Unix, I imagine you can do this (ahhh... the glorious back-tick!):

TEST1=`openssl x509 -in cert.pem -modulus -noout`
TEST2=`openssl rsa -in rsa.pem -modulus -noout`
if [ "$TEST1" = "$TEST2" ]; then echo 'equal'; else echo 'not equal'; fi;


(Is it okay to only check the modulus?  The public exponent can be
ignored?  Is it always "Exponent: 65537 (0x10001)"?)


yours,

Julius


On 2/19/07, Mark H. Wood <[hidden email]> wrote:

> Is there a built-in command in the openssl utility which can verify
> that a private key and a certificate represent a valid keypair?  Or is
> there some simple way to determine this using other built-in commands?
>
> --
> Mark H. Wood, Lead System Programmer   [hidden email]
> Typically when a software vendor says that a product is "intuitive" he
> means the exact opposite.
>
>
>


--
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Verifying that a private key and certificate match

Keith Thompson-3
On Mon 07-02-19 16:11, Julius Davies wrote:

> RSA keypair, right?  If so, compare that the modulus of both the
> certificate and the private key is equal.  These two commands do the
> trick:
>
> openssl x509 -in cert.pem -modulus -noout
>
> openssl rsa -in rsa.pem -modulus -noout
>
>
> If on Unix, I imagine you can do this (ahhh... the glorious back-tick!):
>
> TEST1=`openssl x509 -in cert.pem -modulus -noout`
> TEST2=`openssl rsa -in rsa.pem -modulus -noout`
> if [ "$TEST1" = "$TEST2" ]; then echo 'equal'; else echo 'not equal'; fi;

Be careful about doing this as part of an automated process.  If both
commands encounter errors, they'll print error messages on stderr,
and $TEST1 and $TEST2 will both be empty (and therefore equal).

You can redirect stderr to a file or to /dev/null, and check the
value of $? after each command.

> (Is it okay to only check the modulus?  The public exponent can be
> ignored?  Is it always "Exponent: 65537 (0x10001)"?)

I don't know.

--
Keith Thompson <[hidden email]>  San Diego Supercomputer Center
<http://users.sdsc.edu/~kst/>  858-822-0853
We must do something.  This is something.  Therefore, we must do this.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Verifying that a private key and certificate match

Goetz Babin-Ebell
In reply to this post by juliusdavies
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julius Davies wrote:

> RSA keypair, right?  If so, compare that the modulus of both the
> certificate and the private key is equal.  These two commands do the
> trick:
>
> openssl x509 -in cert.pem -modulus -noout
>
> openssl rsa -in rsa.pem -modulus -noout
>
>
> If on Unix, I imagine you can do this (ahhh... the glorious back-tick!):
>
> TEST1=`openssl x509 -in cert.pem -modulus -noout`
> TEST2=`openssl rsa -in rsa.pem -modulus -noout`
> if [ "$TEST1" = "$TEST2" ]; then echo 'equal'; else echo 'not equal'; fi;
>
> (Is it okay to only check the modulus?  The public exponent can be
> ignored?  Is it always "Exponent: 65537 (0x10001)"?)
No.
You must compared modulis and exponent for an RSA key...

Bye

Goetz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFF2lgG2iGqZUF3qPYRAmDdAJ0fRwKUM6/ZkQo+8VGVWv+SdtPAzwCfWZpA
fZPQiu59Lp0WeBa7FhFeWqo=
=BvUs
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]