How to find out if an OpenSSL certificate was created by a certain private key?

I have an OpenSSl certificate. I also need the private key. I was told it is located somewhere on the server, and true enough, I found multiple SSL key files.

Before I try them all by brute force: Is there a way I can find out on terminal if a private key was used to create the certificate?

Solution 1:

The classic reference for this is this FAQ in the online Apache docs.

In that document, an md5 of the modulus is used because

As the public exponent is usually 65537 and it's difficult to visually check that the long modulus numbers are the same, you can use the following approach

This gives:

$ openssl rsa -noout -modulus -in key.pem.decrypted | openssl md5
(stdin)= 9fxxfoobar558d9xx0045a89467d2bxx

$ openssl x509 -noout -modulus -in crt.pem | openssl md5
(stdin)= 9fxxfoobar558d9xx0045a89467d2bxx

I'm proposing the use of process substitution to avoid visual comparison of the modulus:

$ diff \ 
    <(openssl x509 -noout -modulus -in cert.pem) \
    <(openssl rsa -noout -modulus -in key.pem.decrypted)

If the output is empty, the private key matches the certificate.

This is just a more convenient way to compare the strings than the one in Andrew Schulman's answer, which is, of course, also valid.

Another reference here.

Solution 2:

To check that a certificate file certifies the public key associated with a given private key file, compare the public keys associated with each:

openssl rsa -in KEYFILE -pubout
openssl x509 -in CERTFILE -pubkey -noout

The certificate and private key are matched if and only if the public keys are identical.