Verifying SSL Certificate Information using openssl command

Verifying that  private key matches a certificate

When we generate a SSL certificate for some site , we might want to verify the corresponding private key for the certificate. To verify that the private key matches its certificate , we can compare the modulas of the certificate with the modulas of the private key .

To retrieve the modulus of the private , we can use the below command

              $ openssl rsa -noout -modulus -in example.com.key | openssl md5
                (stdin)= 750da5f1db68ad02d0f7580e1f1a8392

To retrieve the modulus of the certificate , we can use the below command
         
              $ openssl x509 -noout -modulus -in example.com.crt | openssl md5
                (stdin)= 750da5f1db68ad02d0f7580e1f1a8392

 If the modulus of both the above commands matches ,  then we are good . The matching private key is   being used to generate the certificate.

Further, if we want to verify whether the CSR matches the certificate , we also need to retrieve the modulas of the CSR using the below command

            $ openssl req -noout -modulus -in example.com.csr | openssl md5
            (stdin)= 750da5f1db68ad02d0f7580e1f1a8392

Since the modulas for CSR is same as Certificate , so this CSR is used to generate the certificate.


Identifying  Expiry Date of SSL Certificate

$ openssl s_client -showcerts -connect example.com:443  | openssl x509 -noout -dates

depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = New Jersey, L = Somerset, O = "John Wiley & Sons, Inc", OU = Internet Hosting, CN = example.com
verify return:1
notBefore=Jul 15 00:00:00 2015 GMT
notAfter=Jul 15 23:59:59 2016 GMT

How to verify whether private key is password protected or not / Verifying the password for private key

$ ssh-keygen -y -f .ssh/id_rsa
Enter passphrase:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0lEURNoLiCs2PVze1Vkx/LuLliVv8f81zGmbbX+7Di30QVLWx0O96ZIRCa0D3qo1BLc80IIP0ed6GyL3KyNT0hcJY6mjkmdJyOWVBE2Ex4JinNXDVR0YNpHPBbqlneiuw5K/g3w0sjR5lP77Y7C6yQutPM+8CP4VljoO1hSTG6UdmyFYFDQc1kNc0B1LmUL+0BjSlQuDMjC8tg5bY30Lt2VOWO5DFr0Ae+vd/MW+X2s+bSv+KTIEVpoWRCgGm0TenIqBH/AV+jwBdpq1XNxkyhc52JrzuDWFHFMlGfEv8jytGsoj7+/ljFr8kHpAdAGWdMmqlCniVNqW+5dHYJ/2vw==
     

In the above command , it is prompting for the password indicating that the private key is protected by a password. Entering the correct password will fetch the corresponding keys.

If the private key is not protected by a password , then it will not prompt for the password

$ ssh-keygen -y -f .ssh/id_rsa
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAkny6IjUVIobW5S/TJVyX8d6Wg2La2L2LQvX+itBQp5xJd9py7BpwZQk4qvwhL8/MYvRk3uhp1A7jmIsn3+P/dydhArjVye76ANks10/+4CJb3CMnPqoI8Opw2OuD48NLIDj0WFc06XuR4rKAcIZdFjuRmvrOvZZxekGbXzokdB6Ge0aucLfBvs4Iy//OAeXOmlIHTbsUBPsz0YGYIw9iaBTTN0h8FXV2WBFiQVacLdSq8El/GIwk7Ny+n0oQgk4PqWAXzl7YtA8DAMbet2CR+iZf2K4u00abncz5IAVxcz1KlbM1aTr4DBYyDl+wj3AVbFPCBi1nKykt+jINjCv8Dw==





Comments

Popular posts from this blog

PSSH : Parallel SSH to execute commands on a number of hosts

How to add check_http as a service in Nagios Monitoring using NRPE

Configuring Nagios to monitor services using NRPE