Posts Tagged ‘openssl certificate modulus request cpanel’

How to Identify a Matching SSL Cert and Key

Friday, August 5th, 2011

Sometimes when needing to install or reinstall an SSL cert the key file used to generate the cert becomes misplaced, rendering the certificate useless. This can especially be a problem when installed via a control panel where the key is stored in the underlying filesystem. If multiple requests were generated the key file which was used may not match the one that is currently in place. When attempting to install the certificate you may receive an error that the key file does not match, though it is fairly easy to identify the appropriate key using the OpenSSL command line utility.

To see the full details used for a certificate (such as the Common Name, issuer, expiration date, etc.) you can run the following command against the certificate:

[root@host ssl.crt]# openssl x509 -text -noout -in somedomain.cer

which will produce full details about the certificate in question, including what is referred to as the ‘modulus’. To single out a particular piece of information, you can ‘grep’ for the particular line of output you are looking for, or the command can be modified with the specific parameter, such as:

[root@host ssl.crt]# openssl x509 -subject -noout -in somedomain.cer

will tell what specific hostname(s) the certificate was registered for, while

[root@host ssl.crt]# openssl x509 -enddate -noout -in somedomain.cer

will tell you when the certificate will expire.

The easiest way to identify the particular key file that matches this cert is to look at the modulus:

[root@host ssl.crt]# openssl x509 -modulus -noout -in somedomain.cer

this will produce several lines of output, which in itself can be a bit tricky to compare visually:

Modulus=C81B0D3BB43343E779F34BC6371F3AF4E8F9031FFD6DD01D15B

A9BEC1242008C9EFD468132BA7DFGBC7CFAB9F938BE534F3BDC96EF58FF

4EE640154C6243CE1B1C2787D22306E25E86A9A5F3759B14C2A890F4006

9B975830147E0772337AEC058B8AC2CF3356EEE4F8619FE2FB2F578C4EB

B8D46EB15E47B5E44C28A5C3462D

 

The solution is to pipe this output to the ‘md5sum’ (or simply md5 on some os’s) command:

[root@host ssl.crt]# openssl x509 -modulus -noout -in somedomain.cer | md5sum
cd75b831054e4418f7bf7fe0fc5b609a -
[root@host ssl.crt]#

If you use the same option against the key file you can easily match up the specific one used to generate this cert:

[root@host ssl.crt]# openssl x509 -modulus -noout -in somedomain.cer | md5sum
cd75b831054e4418f7bf7fe0fc5b609a -
[root@host ssl.crt]# openssl rsa -modulus -noout -in ../ssl.key/somedomain.key | md5sum
cd75b831054e4418f7bf7fe0fc5b609a -
[root@host ssl.crt]#

This output is much easier to compare and will only match for the specific files which correspond with each other.

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon