How-To

Certificates: Determining that the public keys match for the private key, certificate signing request, and certificate files.

Ryan Drake

2 min read
Certificates: Determining that the public keys match for the private key, certificate signing request, and certificate files.
Photo by rc.xyz NFT gallery / Unsplash

Do you have a number of certificates, private keys and CSRs that all appear to be for the same service, but not sure which files tie together?

Maybe you've had a few attempts at creating the certificate, or maybe you've been provided a number of different files from a vendor. Or maybe you have a replacement certificate from a vendor and want to confirm that the key pair hasn't changed.

To establish the answer, you can compare the public key hash for each. You can use the following OpenSSL commands to compare the hashes.

To verify the public keys match, you need to extract the public key from each file and generate a hash output for it.

All three files must share the same public key and therefore the same hashed value.

Use the following three commands to generate a hash of each file's public key. You should run them one after the other:
openssl x509 -pubkey -in certificate.crt -noout | openssl sha256
openssl pkey -pubout -in private.key | openssl sha256
openssl req -pubkey -in request.csr -noout | openssl sha256

Each command will output (stdin)= followed by a string of characters.
If the output of each of the three commands match, then the public keys for each file are the same.

However, if there is any mismatch, then the keys are not the same and the associated files are not correct for each other.

Commands not recognised?

Running Windows? You probably don't have OpenSSL installed and also mapped to PATH.

You can then run the “OpenSSL Command Prompt” application to run OpenSSL commands.

Once you have installed OpenSSL for Windows, to use openssl across all cmd.exe and powershell windows, you will need to modify your PATH Environment Variable under Advanced System Settings (Windows Desktop or Server) as shown in the below screenshot:

Advanced System Settings > Advanced > Environment Variables > PATH > Edit... > Add the OpenSSL installation directory > OK.

Ryan Drake
Infrastructure Insider - Editor-in-Chief

Copyright 2023, All Rights Reserved.

No AI writers or writing assistants here.
GPT free.