> On Jan 11, 2018, at 10:28 AM, pratyush parimal <pratyush.pari...@gmail.com>
> wrote:
>
> After googling, it seems that I may be able to verify that by comparing the
> modulus
> from the key and the cert. Does anyone know if that's sufficient, and how to
> do it
> programmatically?
It may be useful to note that ECDSA keys don't have a modulus, that's
RSA-specific,
so a more general approach is to compare public keys. A more broadly
applicatble
command-line test is:
#! /bin/sh
certfile=$1; shift
keyfile=$1; shift
certid=$(openssl x509 -in "$certfile" -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexencode -ve '/1 "%02x"')
keyid=$(openssl pkey -in "$keyfile" -pubout -outform DER |
openssl dgst -sha256 -binary |
hexencode -ve '/1 "%02x"')
if [ "$certid" != "$keyid" ]; then
echo "Certificate in $certfile does not match key in $keyfile" >&2
exit 1
fi
Karl Denninger <k...@denninger.net> already explained how key/cert
correspondence
can be checked when loading the key and cert into an SSL_CTX.
The certificate should have appropriate an appropriate keyUsage and/or
extendedKeyUsage for the purpose at hand (TLS Server Authentication?).
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
