Question

I’m working with ECDSA certificates and private keys. What’s the most efficient way to verify, using OpenSSL commands, whether a private key pairs correctly with its certificate?

Answer 1

To check if a private key matches a certificate in OpenSSL for ECDSA, you can verify the public key in both the private key and the certificate to ensure they match.

1. Extract the public key from the private key

Run the following command to extract the public key from the private key file:

openssl ec -in private_key.pem -pubout -out public_key.pem

2. Extract the public key from the certificate

Run the following command to extract the public key from the certificate file:

openssl x509 -in certificate.pem -pubkey -noout -out cert_public_key.pem

3. Compare the two public keys

Use the diff command to compare the extracted public keys:

diff public_key.pem cert_public_key.pem

• If the output is empty, the keys match.
• If there are differences, the private key does not match the certificate.

Alternative: Direct Match Verification

You can also directly check if the private key matches the certificate using OpenSSL's built-in functionality:

openssl x509 -noout -modulus -in certificate.pem | openssl md5
openssl ec -noout -modulus -in private_key.pem | openssl md5

If the output hashes match, the private key and certificate pair correctly.