other useful openssl commands
generate a new key and a csr
generate a new key and a csr
openssl req -sha256 -out my.csr -new -newkey rsa:2048 -nodes -keyout my.key
generate csr from existing key
openssl req -sha256 -out my.csr -key my.key -new
extract the information from a certificate
openssl x509 -text -in cert.pem
extract the information from a csr
openssl req -in my.csr -noout -text
The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public key" bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands:
this example is for ed25519, change "pkey" for "rsa" if you use a rsa key
openssl x509 -noout -text -in server.pem
openssl pkey -noout -text -in server.key
The `modulus' and the `public exponent' portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus you can use the following approach (only works with rsa key)
openssl x509 -noout -modulus -in server.pem | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
if you want to check to which key or certificate a particular CSR belongs you can compute : (only works with rsa key)
openssl req -noout -modulus -in server.csr