Verifying SSL Certificate Information using openssl command
Verifying that private key matches a certificate
When we generate a SSL certificate for some site , we might want to verify the corresponding private key for the certificate. To verify that the private key matches its certificate , we can compare the modulas of the certificate with the modulas of the private key .
To retrieve the modulus of the private , we can use the below command
$ openssl rsa -noout -modulus -in example.com.key | openssl md5
(stdin)= 750da5f1db68ad02d0f7580e1f1a8392
To retrieve the modulus of the certificate , we can use the below command
$ openssl x509 -noout -modulus -in example.com.crt | openssl md5
(stdin)= 750da5f1db68ad02d0f7580e1f1a8392
If the modulus of both the above commands matches , then we are good . The matching private key is being used to generate the certificate.
Further, if we want to verify whether the CSR matches the certificate , we also need to retrieve the modulas of the CSR using the below command
$ openssl req -noout -modulus -in example.com.csr | openssl md5
(stdin)= 750da5f1db68ad02d0f7580e1f1a8392
Since the modulas for CSR is same as Certificate , so this CSR is used to generate the certificate.
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = New Jersey, L = Somerset, O = "John Wiley & Sons, Inc", OU = Internet Hosting, CN = example.com
verify return:1
notBefore=Jul 15 00:00:00 2015 GMT
notAfter=Jul 15 23:59:59 2016 GMT
When we generate a SSL certificate for some site , we might want to verify the corresponding private key for the certificate. To verify that the private key matches its certificate , we can compare the modulas of the certificate with the modulas of the private key .
To retrieve the modulus of the private , we can use the below command
$ openssl rsa -noout -modulus -in example.com.key | openssl md5
(stdin)= 750da5f1db68ad02d0f7580e1f1a8392
To retrieve the modulus of the certificate , we can use the below command
$ openssl x509 -noout -modulus -in example.com.crt | openssl md5
(stdin)= 750da5f1db68ad02d0f7580e1f1a8392
If the modulus of both the above commands matches , then we are good . The matching private key is being used to generate the certificate.
Further, if we want to verify whether the CSR matches the certificate , we also need to retrieve the modulas of the CSR using the below command
$ openssl req -noout -modulus -in example.com.csr | openssl md5
(stdin)= 750da5f1db68ad02d0f7580e1f1a8392
Since the modulas for CSR is same as Certificate , so this CSR is used to generate the certificate.
Identifying Expiry Date of SSL Certificate
$ openssl s_client -showcerts -connect example.com:443 | openssl x509 -noout -dates
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = New Jersey, L = Somerset, O = "John Wiley & Sons, Inc", OU = Internet Hosting, CN = example.com
verify return:1
notBefore=Jul 15 00:00:00 2015 GMT
notAfter=Jul 15 23:59:59 2016 GMT
How to verify whether private key is password protected or not / Verifying the password for private key
$ ssh-keygen -y -f .ssh/id_rsa
Enter passphrase:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0lEURNoLiCs2PVze1Vkx/LuLliVv8f81zGmbbX+7Di30QVLWx0O96ZIRCa0D3qo1BLc80IIP0ed6GyL3KyNT0hcJY6mjkmdJyOWVBE2Ex4JinNXDVR0YNpHPBbqlneiuw5K/g3w0sjR5lP77Y7C6yQutPM+8CP4VljoO1hSTG6UdmyFYFDQc1kNc0B1LmUL+0BjSlQuDMjC8tg5bY30Lt2VOWO5DFr0Ae+vd/MW+X2s+bSv+KTIEVpoWRCgGm0TenIqBH/AV+jwBdpq1XNxkyhc52JrzuDWFHFMlGfEv8jytGsoj7+/ljFr8kHpAdAGWdMmqlCniVNqW+5dHYJ/2vw==
Enter passphrase:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0lEURNoLiCs2PVze1Vkx/LuLliVv8f81zGmbbX+7Di30QVLWx0O96ZIRCa0D3qo1BLc80IIP0ed6GyL3KyNT0hcJY6mjkmdJyOWVBE2Ex4JinNXDVR0YNpHPBbqlneiuw5K/g3w0sjR5lP77Y7C6yQutPM+8CP4VljoO1hSTG6UdmyFYFDQc1kNc0B1LmUL+0BjSlQuDMjC8tg5bY30Lt2VOWO5DFr0Ae+vd/MW+X2s+bSv+KTIEVpoWRCgGm0TenIqBH/AV+jwBdpq1XNxkyhc52JrzuDWFHFMlGfEv8jytGsoj7+/ljFr8kHpAdAGWdMmqlCniVNqW+5dHYJ/2vw==
In the above command , it is prompting for the password indicating that the private key is protected by a password. Entering the correct password will fetch the corresponding keys.
If the private key is not protected by a password , then it will not prompt for the password
$ ssh-keygen -y -f .ssh/id_rsa
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAkny6IjUVIobW5S/TJVyX8d6Wg2La2L2LQvX+itBQp5xJd9py7BpwZQk4qvwhL8/MYvRk3uhp1A7jmIsn3+P/dydhArjVye76ANks10/+4CJb3CMnPqoI8Opw2OuD48NLIDj0WFc06XuR4rKAcIZdFjuRmvrOvZZxekGbXzokdB6Ge0aucLfBvs4Iy//OAeXOmlIHTbsUBPsz0YGYIw9iaBTTN0h8FXV2WBFiQVacLdSq8El/GIwk7Ny+n0oQgk4PqWAXzl7YtA8DAMbet2CR+iZf2K4u00abncz5IAVxcz1KlbM1aTr4DBYyDl+wj3AVbFPCBi1nKykt+jINjCv8Dw==
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAkny6IjUVIobW5S/TJVyX8d6Wg2La2L2LQvX+itBQp5xJd9py7BpwZQk4qvwhL8/MYvRk3uhp1A7jmIsn3+P/dydhArjVye76ANks10/+4CJb3CMnPqoI8Opw2OuD48NLIDj0WFc06XuR4rKAcIZdFjuRmvrOvZZxekGbXzokdB6Ge0aucLfBvs4Iy//OAeXOmlIHTbsUBPsz0YGYIw9iaBTTN0h8FXV2WBFiQVacLdSq8El/GIwk7Ny+n0oQgk4PqWAXzl7YtA8DAMbet2CR+iZf2K4u00abncz5IAVxcz1KlbM1aTr4DBYyDl+wj3AVbFPCBi1nKykt+jINjCv8Dw==
Comments