Re: Verifying that a private key and certificate match

2007-02-19 Thread Goetz Babin-Ebell 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Julius Davies wrote:
> RSA keypair, right?  If so, compare that the modulus of both the
> certificate and the private key is equal.  These two commands do the
> trick:
> 
> openssl x509 -in cert.pem -modulus -noout
> 
> openssl rsa -in rsa.pem -modulus -noout
> 
> 
> If on Unix, I imagine you can do this (ahhh... the glorious back-tick!):
> 
> TEST1=`openssl x509 -in cert.pem -modulus -noout`
> TEST2=`openssl rsa -in rsa.pem -modulus -noout`
> if [ "$TEST1" = "$TEST2" ]; then echo 'equal'; else echo 'not equal'; fi;
> 
> (Is it okay to only check the modulus?  The public exponent can be
> ignored?  Is it always "Exponent: 65537 (0x10001)"?)
No.
You must compared modulis and exponent for an RSA key...

Bye

Goetz
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFF2lgG2iGqZUF3qPYRAmDdAJ0fRwKUM6/ZkQo+8VGVWv+SdtPAzwCfWZpA
fZPQiu59Lp0WeBa7FhFeWqo=
=BvUs
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Verifying that a private key and certificate match

2007-02-19 Thread Keith Thompson 
On Mon 07-02-19 16:11, Julius Davies wrote:
> RSA keypair, right?  If so, compare that the modulus of both the
> certificate and the private key is equal.  These two commands do the
> trick:
> 
> openssl x509 -in cert.pem -modulus -noout
> 
> openssl rsa -in rsa.pem -modulus -noout
> 
> 
> If on Unix, I imagine you can do this (ahhh... the glorious back-tick!):
> 
> TEST1=`openssl x509 -in cert.pem -modulus -noout`
> TEST2=`openssl rsa -in rsa.pem -modulus -noout`
> if [ "$TEST1" = "$TEST2" ]; then echo 'equal'; else echo 'not equal'; fi;

Be careful about doing this as part of an automated process.  If both
commands encounter errors, they'll print error messages on stderr,
and $TEST1 and $TEST2 will both be empty (and therefore equal).

You can redirect stderr to a file or to /dev/null, and check the
value of $? after each command.

> (Is it okay to only check the modulus?  The public exponent can be
> ignored?  Is it always "Exponent: 65537 (0x10001)"?)

I don't know.

-- 
Keith Thompson <[EMAIL PROTECTED]>  San Diego Supercomputer Center
  858-822-0853
We must do something.  This is something.  Therefore, we must do this.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Verifying that a private key and certificate match

2007-02-19 Thread Julius Davies 

RSA keypair, right?  If so, compare that the modulus of both the
certificate and the private key is equal.  These two commands do the
trick:

openssl x509 -in cert.pem -modulus -noout

openssl rsa -in rsa.pem -modulus -noout


If on Unix, I imagine you can do this (ahhh... the glorious back-tick!):

TEST1=`openssl x509 -in cert.pem -modulus -noout`
TEST2=`openssl rsa -in rsa.pem -modulus -noout`
if [ "$TEST1" = "$TEST2" ]; then echo 'equal'; else echo 'not equal'; fi;


(Is it okay to only check the modulus?  The public exponent can be
ignored?  Is it always "Exponent: 65537 (0x10001)"?)


yours,

Julius


On 2/19/07, Mark H. Wood <[EMAIL PROTECTED]> wrote:

Is there a built-in command in the openssl utility which can verify
that a private key and a certificate represent a valid keypair?  Or is
there some simple way to determine this using other built-in commands?

--
Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.






--
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Verifying that a private key and certificate match

2007-02-19 Thread Mark H. Wood 
Is there a built-in command in the openssl utility which can verify
that a private key and a certificate represent a valid keypair?  Or is
there some simple way to determine this using other built-in commands?

-- 
Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.



pgpLZ8vi8DsNq.pgp
Description: PGP signature