Ask a Question

Advanced Search

Solution ID : SO29559

Last Modified : 04/15/2021

Verify the Integrity of an SSL/TLS certificate and Private Key Pair

Solution

It's a three part process to confirm the integrity of a key pair:

  1. Verify the integrity of a private key - that has not been tampered with.
  2. Verify the modulus of both private and public key match.
  3. Successfully perform encryption with public key from certificate and decryption with private key
  4. Confirm the integrity of the file which is signed with private key

 

Use OpenSSL to confirm Private Key's Integrity

openssl rsa -in [key-file.key] -check -noout

Example of private key which does not meet the integrity:


Some other errors that can be receiving from tampering/forging a key:

  • RSA key error: p not prime
  • RSA key error: n does not equal p q
  • RSA key error: d e not congruent to 1
  • RSA key error: dmp1 not congruent to d
  • RSA key error: iqmp not inverse of q

If you received any of the above errors then your private key has been manipulated and may not work with your public key. Consider creating a new private key and requesting a replacement certificate.

 

Example of private key which meets the integrity:


The above indicates a clean private key, proceed to next step of comparing the modulus.

 

Confirm the Modulus Value Matching with Private Key and SSL/TLS certificate Key Pair

Note: The modulus of private key and certificate must match exactly.

To view the certificate Modulus:
openssl x509 -noout -modulus -in [certificate-file.cer]


 

To view the private key Modulus:
openssl rsa -noout -modulus -in [key-file.key]


 

Perform Encryption with Public Key from certificate and Decryption with Private Key

  1. Get public key from certificate

openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cer

 

Example content of public key certificatefile.pub.cer file:

  1. Encrypt test.txt file content using public key

Create a new file called test.txt file with content "message test". Perform the following command to create encrypted message to cipher.txt file.

openssl rsautl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer -out cipher.txt

 

Example output of cipher.txt:

  1. Decrypt from cipher.txt using private key

Perform following command to decrypt cipher.txt content.

openssl rsautl -decrypt -in cipher.txt -inkey [key-file.key]

Confirm that you are able to decrypt your cipher.txt file content to your terminal.

Make sure that output from terminal is matching the content on test.txt file.

If the content does not match, then private key has been manipulated and may not work with your public key. Consider creating a new private key and requesting a replacement certificate.

 

Example output of  successful decrypted message:

 

 

  1. Confirming the integrity of file which is signed with private key

Perform following command to sign test.sig and test.txt file with your private key
openssl dgst -sha256 -sign  [key-file.key] -out test.sig test.txt

Verify the signed files with your public key that was extracted from step 1. Get public key from certificate.
openssl dgst -sha256 -verify certificatefile.pub.cer -signature test.sig test.txt

Make sure that the output from terminal shows up like the example below.

Example which meets the integrity:


If you receive below message, then your private key has been manipulated and may not work with your public key. Consider creating a new private key and requesting a replacement certificate.

Example which does not meet the integrity: