Monday, September 02, 2013

Do My SSL Keys Match Up?

Recently, at my day job, we had an issue where the SSL certificate that we had in place for one of our URL's, was expiring and needed renewing.  One of my colleagues had renewed the certificate, but did not have time to install it immediately.  So, the day that its expiring we had to do a bit of scrambling to get it replaced on the server.

So, having been given this task, I logged on to the server and noticed that the public key, signing keys and private keys were all put into the same directory.  Cool, I don't have to figure out where to put them.  So, I downloaded the certificate bundle from our issuer and unzipped it.  It was then that I realized that the bundle only contained the public key and the signing certificate(s).  

So here I am, with the new key and no private key.  Plus, looking on our issuer's site, there was no way to tell what private key was used.  Thus became my quick search of the Googles to determine how to compare a public key with a private key to see if they are a pair.  

If you have manually created SSL certificates before, then you should already (hopefully) be familiar with the openssl software.  Thankfully, that software can also be used to pair up public and private keys.

In order to match up two keys, you need get some output from the keys themselves.  On the public key, you want to run the following:

openssl x509 -noout -text -in cert.crt
You will then want to run the following on the private key that you suspect may match up:

openssl rsa -noout -text -in cert.key
As part of the output of both of those commands you will see a section called "Modulus", which looks something like this:

Modulus (4096 bit):
                    00:e4:86:e3:fb:49:07:1d:a6:11:df:3b:1f:d8:1b:
                    65:c8:97:06:28:fa:73:d2:bc:d2:05:94:b3:f3:0d:
                    69:6d:ae:fa:80:a5:4d:63:6f:bf:1e:62:67:fe:3d:
                    be:96:ab:17:25:87:b5:ac:04:15:70:20:e7:d3:0b:
                    e3:fe:99:53:eb:10:60:2e:48:a2:0d:00:de:9c:c4:
                    7c:79:f4:ff:66:e7:40:37:2a:4a:7c:93:8a:af:66:
                    17:f1:04:60:94:c7:62:86:83:e0:1f:28:b8:4d:8e:
                    dd:30:59:47:76:ba:b9:60:b5:a7:2a:af:1d:be:2c:
                    bb:1f:58:6d:56:f0:36:a4:72:f7:1b:9e:c9:f6:57:
                    99:e2:3d:3a:7b:db:9a:2d:50:47:3f:3e:15:27:5a:
                    b2:fe:84:4b:4d:68:a7:ca:32:6d:4c:59:1a:a4:74:
                    39:f0:f3:10:a8:fa:9f:de:cb:4f:c8:b1:86:24:aa:
                    01:48:32:8b:e9:06:1f:71:43:2d:64:1a:30:73:d3:
                    7c:9f:46:f9:17:59:1a:db:0b:fa:a3:49:b0:56:90:
                    e5:37:79:42:35:05:24:e5:82:80:59:4c:16:94:3f:
                    9c:d3:d3:f5:ea:03:87:d6:5f:c8:23:1a:08:9c:43:
                    78:be:7d:98:a0:e0:82:05:74:de:1a:bb:4a:2e:d6:
                    a3:cd:70:24:a3:5d:05:06:a6:28:2c:f8:75:2d:61:
                    34:28:a6:44:69:b6:f8:cc:ea:9d:f1:97:35:3c:cd:
                    46:b5:69:e6:7e:7d:a5:07:7d:cb:bc:98:d1:80:18:
                    f9:87:fa:d8:db:c7:42:4d:93:54:36:4b:83:45:0c:
                    79:b3:0f:1c:28:e1:f7:92:0b:56:86:f2:17:80:55:
                    fe:31:67:c9:31:5c:7b:87:d2:ea:ea:a8:38:0e:b1:
                    37:68:ef:a1:d1:be:a1:69:8e:37:45:bb:96:b7:9d:
                    27:1e:a9:d5:6a:be:36:a8:20:ae:ab:4f:5e:a1:40:
                    f6:92:57:17:ff:68:c6:9b:4e:ee:d1:2f:47:b9:9f:
                    9c:be:4b:21:ad:20:a7:12:38:89:2b:12:0e:62:cc:
                    44:65:e7:af:31:fe:ba:c7:e7:60:e3:cc:65:b2:91:
                    15:73:2c:d7:17:95:53:f9:d6:f8:6a:4c:3c:5a:62:
                    c7:5b:c9:2b:52:37:66:ec:56:be:4a:75:49:0b:9e:
                    32:a1:e3:62:0a:a3:de:3a:a5:00:03:d8:01:79:df:
                    9b:46:1f:44:a2:06:71:28:0d:8a:61:00:5c:7f:5a:
                    0c:37:c0:dd:dc:3b:80:a1:b7:ad:df:1d:08:fa:95:
                    f8:35:42:3f:4c:e6:8e:f3:94:12:d6:83:63:84:63:
                    89:bb:61 

What is really nice is that if they are the correct pair, the modulus of both keys will be identical.  To finish my anecdote regarding work, I got lucky and the first key that I chose (which was the private key previously used), ended up being a match, proving that they new key was generated using it by our provider.  

I hope this has helped someone find their long lost matching keys.  

No comments:

 
Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.