It's a three part process to confirm the integrity of a key pair -
First, using openssl to confirm private key's integrity.
openssl rsa -in [key-file.key] -check -noout
Example of private key which does not meet the integrity:
Some other errors that can be receiving from tampering/forging a key:
If you received any of the above errors then private key has been manipulated and may not work with your public key. Consider creating a new private key and submitting for a replacement certificate.
Example of private key which meets the integrity:
The above indicates a clean private key, proceed to next step of comparing the modulus.
Next, let's confirm the modulus value matching with private key and SSL certificate key pair.
Note: Modulus of private key and certificate must match exactly.
To view the certificate Modulus:
openssl x509 -noout -modulus -in [certificate-file.cer]
To view the private key Modulus:
openssl rsa -noout -modulus -in [key-file.key]
Next let's perform perform encryption with public key from certificate and decryption with private key
openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cer
Example content of public key certificatefile.pub.cer file
Create new file called test.txt file with content "message test". Perform following command to create encrypted message to cipher.txt file.
openssl rsautl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer -out cipher.txt
Example output of cipher.txt
Perform following command to decrypt cipher.txt content.
openssl rsautl -decrypt -in cipher.txt -inkey [key-file.key]
Confirm that you are able to decrypt your cipher.txt file content to your terminal.
Make sure that output from terminal is matching the content on test.txt file.
If the content does not match, then private key has been manipulated and may not work with your public key. Consider creating a new private key and submitting for a replacement certificate.
Example output of successful decrypted message.
Perform following command to sign test.sig and test.txt file with your private key
openssl dgst -sha256 -sign [key-file.key] -out test.sig test.txt
Verify the signed files with your public key that was extracted from step 1. Get public key from certificate.
openssl dgst -sha256 -verify certificatefile.pub.cer -signature test.sig test.txt
Make sure that output from terminal shows up like following;
Example which meets the integrity:
If you receive below message, then your private key has been manipulated and may not work with your public key. Consider creating a new private key and submitting for a replacement certificate.
Example which does not meet the integrity: