Posts Tagged ‘openssl certificate modulus request cpanel’

How to Identify a Matching SSL Cert and Key

Friday, August 5th, 2011

Sometimes when needing to install or reinstall an SSL cert the key file used to generate the cert becomes misplaced, rendering the certificate useless. This can especially be a problem when installed via a control panel where the key is stored in the underlying filesystem. If multiple requests were generated the key file which was used may not match the one that is currently in place. When attempting to install the certificate you may receive an error that the key file does not match, though it is fairly easy to identify the appropriate key using the OpenSSL command line utility.

To see the full details used for a certificate (such as the Common Name, issuer, expiration date, etc.) you can run the following command against the certificate:

[root@host ssl.crt]# openssl x509 -text -noout -in somedomain.cer

which will produce full details about the certificate in question, including what is referred to as the ‘modulus’. To single out a particular piece of information, you can ‘grep’ for the particular line of output you are looking for, or the command can be modified with the specific parameter, such as:

[root@host ssl.crt]# openssl x509 -subject -noout -in somedomain.cer

will tell what specific hostname(s) the certificate was registered for, while

[root@host ssl.crt]# openssl x509 -enddate -noout -in somedomain.cer

will tell you when the certificate will expire.

The easiest way to identify the particular key file that matches this cert is to look at the modulus:

[root@host ssl.crt]# openssl x509 -modulus -noout -in somedomain.cer

this will produce several lines of output, which in itself can be a bit tricky to compare visually:







The solution is to pipe this output to the ‘md5sum’ (or simply md5 on some os’s) command:

[root@host ssl.crt]# openssl x509 -modulus -noout -in somedomain.cer | md5sum
cd75b831054e4418f7bf7fe0fc5b609a -
[root@host ssl.crt]#

If you use the same option against the key file you can easily match up the specific one used to generate this cert:

[root@host ssl.crt]# openssl x509 -modulus -noout -in somedomain.cer | md5sum
cd75b831054e4418f7bf7fe0fc5b609a -
[root@host ssl.crt]# openssl rsa -modulus -noout -in ../ssl.key/somedomain.key | md5sum
cd75b831054e4418f7bf7fe0fc5b609a -
[root@host ssl.crt]#

This output is much easier to compare and will only match for the specific files which correspond with each other.

SociBook Digg Facebook Google Yahoo Buzz StumbleUpon