Ask a Question

Advanced Search

Solution ID : SO29559

Last Modified : 07/17/2020

How to verify the integrity of an SSL certificate and private key pair

Solution

It's a three part process to confirm the integrity of a key pair -

  1. Verify the integrity of a private key - that has not been tampered with.
  2. Verify the modulus of both private and public key match.
  3. Successfully perform encryption with public key from certificate and decryption with private key
  4. Confirming the integrity of file which is signed with private key

First, using openssl to confirm private key's integrity.

openssl rsa -in [key-file.key] -check -noout

Example of private key which does not meet the integrity:

Some other errors that can be receiving from tampering/forging a key:

  • RSA key error: p not prime
  • RSA key error: n does not equal p q
  • RSA key error: d e not congruent to 1
  • RSA key error: dmp1 not congruent to d
  • RSA key error: iqmp not inverse of q

If you received any of the above errors then private key has been manipulated and may not work with your public key. Consider creating a new private key and submitting for a replacement certificate.

Example of private key which meets the integrity:

The above indicates a clean private key, proceed to next step of comparing the modulus.

Next, let's confirm the modulus value matching with private key and SSL certificate key pair.

Note: Modulus of private key and certificate must match exactly.

To view the certificate Modulus:
openssl x509 -noout -modulus -in [certificate-file.cer]

To view the private key Modulus:
openssl rsa -noout -modulus -in [key-file.key]

Next let's perform perform encryption with public key from certificate and decryption with private key

  1. Get public key from certificate

openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cer

Example content of public key certificatefile.pub.cer file

  1. Encrypt test.txt file content using public key

Create new file called test.txt file with content "message test". Perform following command to create encrypted message to cipher.txt file.

openssl rsautl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer -out cipher.txt

Example output of cipher.txt

  1. Decrypt from cipher.txt using private key

Perform following command to decrypt cipher.txt content.

openssl rsautl -decrypt -in cipher.txt -inkey [key-file.key]

Confirm that you are able to decrypt your cipher.txt file content to your terminal.

Make sure that output from terminal is matching the content on test.txt file.

If the content does not match, then private key has been manipulated and may not work with your public key. Consider creating a new private key and submitting for a replacement certificate.

Example output of  successful decrypted message.

  1. Confirming the integrity of file which is signed with private key

Perform following command to sign test.sig and test.txt file with your private key
openssl dgst -sha256 -sign  [key-file.key] -out test.sig test.txt

Verify the signed files with your public key that was extracted from step 1. Get public key from certificate.
openssl dgst -sha256 -verify certificatefile.pub.cer -signature test.sig test.txt

Make sure that output from terminal shows up like following;
Example which meets the integrity:

If you receive below message, then your private key has been manipulated and may not work with your public key. Consider creating a new private key and submitting for a replacement certificate.

Example which does not meet the integrity: