> On Jan 11, 2018, at 10:28 AM, pratyush parimal <pratyush.parimal@xxxxxxxxx> wrote:
>
> After googling, it seems that I may be able to verify that by comparing the modulus
> from the key and the cert. Does anyone know if that's sufficient, and how to do it
> programmatically?
It may be useful to note that ECDSA keys don't have a modulus, that's RSA-specific,
so a more general approach is to compare public keys. A more broadly applicatble
command-line test is:
#! /bin/sh
certfile=$1; shift
keyfile=$1; shift
certid=$(openssl x509 -in "$certfile" -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexencode -ve '/1 "%02x"')
keyid=$(openssl pkey -in "$keyfile" -pubout -outform DER |
openssl dgst -sha256 -binary |
hexencode -ve '/1 "%02x"')
if [ "$certid" != "$keyid" ]; then
echo "Certificate in $certfile does not match key in $keyfile" >&2
exit 1
fi
Karl Denninger <karl@xxxxxxxxxxxxx> already explained how key/cert correspondence
can be checked when loading the key and cert into an SSL_CTX.
The certificate should have appropriate an appropriate keyUsage and/or
extendedKeyUsage for the purpose at hand (TLS Server Authentication?).
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
