How to verify compliance of a private key with the SSL certificate and CSR

If you work with multiple SSL certificates, you may encounter the following problem: it is not clear which certificate corresponds to a particular private key.

The same is true for CSR - it is not always clear which CSR corresponds to a particular private key.

You may also encounter the following error: "Private Key and the Certificate do not match". There may be other errors when trying to install a certificate on the server.

Note: The SSL certificate can be installed on the server ONLY with the private key that was generated during the corresponding CSR request when ordering the certificate. If the private key does not match the certificate, then in this case you will not be able to install the certificate on the server. The control panel will display an error about the mismatch of the key/certificate pair.

This rule has been established by the SSL industry to ensure security and prevent the issuance of fake certificates.

How to verify compliance of SSL certificates with their CSR and private keys

Checking the compliance of SSL certificates with their CSRs and private keys is easy using OpenSSL commands.

Display the modulus values (modulus are internal data stored in the CSR, SSL certificate and private key) for the private key, CSR and SSL certificate, and then convert them into md5 hashes so that they can be compared.

The command to display the SSL certificate modulus:

$ openssl x509 -noout -modulus -in ssl_certificate.crt | openssl md5

The command to display the private key modulus:

$ openssl rsa -noout -modulus -in private.key | openssl md5

Command to display the CSR modulus:

$ openssl req -noout -modulus -in csr_request.csr | openssl md5

If the values of the modulus are identical, then the certificate, private key and CSR correspond to each other.