Do you have a hole in the shape of pfx, and the only thing you have is pfx? Tough luck.

How to verify a private key matches a x509 (.cer) certificate?

3 min read.

This post explains how to verify a private key (possibly a .key file) you somehow got your hands on matches a certificate file (.cer) you also somehow are in possession of. Don’t ask me where I got mine, but I had to figure out how to make sure a key and a certificate matched before I uploaded mine to AKS (Azure Kubernetes Service).

Problem

Table of Contents

This is yet another article where I document how to work around an issue, so I can do it when I run into the same issue the next time :)

Note, that I’m not a certificate expert. Far from it! Take my advice with a grain of salt.

Anyway – I had to do some AKS (Azure Kubernetes Service) configurations that required a new domain and a new associated SSL certificate to go with it. This required running something along the lines of:

kubectl create secret tls my-tls-secret --cert=path/to/cert/file --key=path/to/key/file

But before getting there, I needed to upload matching key and certificate files. And as luck would have it I had PLENTY of keys and certificates just lying around at that point. But once I found a key and a certificate I liked, how could I make sure they matched one another?

Solution

openssl to the rescue! With openssl, you can (with some interesting steps) verify whether a cleartext key and BASE64-encoded certificate match.

The following step-by-step how-to will guide you on verifying your .key file and .cer/.crt/.pem/.der files match.

Time needed: 10 minutes.

How to verify if a .key file matches a certificate file?

  1. Prerequisite: install OpenSSL

    OpenSSL is a command-line tool you can use to do all kinds of black magic to certificates. But today, we’ll use it to verify your private key matches your certificate.

    The first thing to do is to download the tool. They don’t want to make it too easy, but you should be able to find the latest version from here.

  2. Have .cer and .key in the same folder

    Move all of your certificate files to one folder, open Terminal and change to that directory.

    You’ll need a .cer file (in my example, my.cer) and a .key file (my.key, unsurprisingly). The latter should look somewhat like this:

    —–BEGIN RSA PRIVATE KEY—–
    ALOTOFCHARACTERSHEREFORQUITEAFE
    WLINESITSQUITEDIFFICULTTOREADYFRA
    NKLYBUTYOUDONTNEEDTOCAREABOUT
    THAT
    —–END RSA PRIVATE KEY—–

  3. Transform your .cer file to .crt

    If your .cer file is not BASE64-encoded when you open it up in VS Code or similar text editor, you need to transform it.

    The easy rule is the certificate needs to be in latin characters and start with this:
    —–BEGIN CERTIFICATE—–

    and end with:
    —–END CERTIFICATE—–

    If it’s not, it’s probably a PEM file with a .cer extension but with DER encoding. It needs to not be in DER encoding. And one way to decode it is this:
    openssl x509 -inform DER -in my.cer -out my.crt

    If it already was BASE64-encoded, you can use the certificate as it is. But if you want to proceed with the guide as it is, you might want to rename the file to my.crt.

    Clear as mud! But you should now either have a usable .crt file, or an error about not being able to read the contents. In both cases, you can proceed.

  4. Calculate modulus from your certificate

    Now we’ll calculate the modulus for your certificate. You don’t need to understand this. I don’t either. But it’ll help us.

    If you now have a .crt file (the last step was successful), this should work:
    openssl x509 -noout -modulus -in my.crt

    If the last step failed, you could try to rename the .cer to .pem, and then run this:
    openssl x509 -noout -modulus -in my.pem

    If this fails, too, your certificate was probably rubbish. Get a new one.

    If it produced an interesting output and not an error, take note of the output. You’ll need it for comparison.

  5. Calculate modulus for your private key

    Now, for your private key file (my.key in my sample), run this:
    openssl rsa -noout -modulus -in my.key

    This is the second output you need to compare.

  6. Compare the 2 values

    If the modulus output you get from the 2 commands matches, the private key and your certificate are a pair.

    That looks somewhat like below:
    Calculate modulus for your .crt and .key files

And that was that! With any luck, you should be done :)

References

mm
0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments