Friday, June 7, 2013

Verifying that a SSL Certificate matches a Key

When configuring SSL under apache, if an error is made, Apache is unlikely to start. This can be a bit of a problem. So when a non-technical person provides you with CRT/KEY and you are expected to install that pair into Apache, while incurring minimal downtime, it can be useful to check the pairs validity before starting. The relevant portion of the key/crt pair is the modulus. It can be checked using the commandline openssl tools.
openssl x509 -in filename.crt -modulus -noout | openssl md5
openssl rsa -in filename.key -modulus -noout | openssl md5

If you want to be ambitious, verify the certificates date ranges as well
openssl x509 -in filename.crt -dates -noout

No comments:

Post a Comment