Determine if private key belongs to certificate?

I'm going to assume you have ssl.crt and ssl.key in your current directory.

If you want to see what's in your certificate it's

# openssl x509 -in ssl.crt -text -noout

Two of the things in here will be the RSA public Key's Modulus and Exponent (in hex).

If you want to see what's in your private key it's

# openssl rsa -in ssl.key -text -noout

Note the public key is usually in there (at the very least the modulus is required to be in there for the private key to work, and the public exponent is usually 65537 or 3). So you can simply check if the modulus and public exponent match. Granted, if you want to check that the private key is actually valid (that is d and e are valid RSA exponents for the modulus m), you would need to run 

# openssl rsa -check -in ssl.key -noout

EDIT (2018): Please note if you are checking that a private key coming from an untrusted source corresponds with a certificate, you MUST CHECK that the private key is valid. See here for an example where not checking the validity of a "leaked" private key lead to a CA improperly revoking a certificate. You may skip this step if you know you validly generated the keypair.

Now you can simply generate the public key from both the certificate and the private key and then use diff to check that they don't differ:

# openssl x509 -in ssl.crt -pubkey -noout > from_crt.pub
# openssl rsa -in ssl.key -pubout > from_key.pub
# diff from_crt.pub from_key.pub

Or as a one liner that doesn't create files (using process substitution):

# diff  <(openssl x509 -in ssl.crt -pubkey -noout) <(openssl rsa -in ssl.key -pubout)

If the keys match, diff shouldn't return anything. (You probably will see "writing RSA key" output to stderr from the second command).

Note your webserver probably would loudly complain if the certificate and private key didn't match. E.g., with nginx using the wrong key (same size, same public exponent, but last year's key) for the certificate nginx is using:

# sudo /etc/init.d/nginx restart
* Restarting nginx nginx                                                                                         
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/private/wrong_key.key") failed 
(SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

The accepted answer is correct, but it only works for RSA keys.

At least since openssl 1.1.1 it is possible to test validity of all types of private keys and here's a one-liner that works for all sorts of keys that openssl supports

 cmp <(openssl x509 -pubkey -in certificate.pem -noout) <(openssl pkey -check -pubout -in private-key.pem -outform PEM)

It will return 'true' if and only if the private key matches the public key in the certificate.

Tags:

Openssl

Cryptography

X.509

Related

PHP files browsable: is this a vulnerability? SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? Can "cat-ing" a file be a potential security risk? SSH: benefits of using hashed known_hosts Does the ARM TrustZone technology support sealing a private key under a code hash? What security mechanisms are used in BGP and why do they fail? How many Stack Exchange logins should I have? How does SFTP function without a manually generated public/private key pair nginx - How to prevent processing requests with undefined server names with HTTPS Is Google Chrome Extension access to SSL certificate validation output possible? Is it possible to use SSH agent for generic data encryption? Can anyone DDOS my server with jmeter? Do they need a powerful server for that?

Recent Posts