Check if a certificate matches the CSR that was sent for signing.
When we generate a CSR (Certificate Signing Request) and send it to be signed by a trusted entity, we must wait to receive the certificate to enter it into our system and configure it. Once the certificate arrives, we must validate if it is indeed the correct certificate, that is, it was generated based on our CSR.
Step 1: Obtain the public key
The first thing is to verify if we have access to the private key or only have access to the public part that generated the CSR. If for any reason you want to send the public part to a colleague for verification, you will need to execute the following command to generate it.
openssl rsa -in private_key.pem -pubout > public_key.pem
Step 2: Obtain the MD5 hash of the key
To obtain this hash, we can use the following command on the public key obtained above.
openssl pkey -pubin -in public_key.pem -pubout -outform pem | openssl md5If you have direct access to the private key, you could use the following command.
openssl pkey -in private_key.pem -pubout -outform pem | openssl md5We will get a result like the following:
2c2dac216dfb0b4e4304941e461f5714Step 3: Obtain the MD5 hash of the certificate or chain of certificates
To obtain this hash, we can use the following command on the certificate or chain of certificates to be validated.
openssl x509 -in certificate.pem -pubkey -noout -outform pem | openssl md5We will get a result like the following:
2c2dac216dfb0b4e4304941e461f5714Step 4: Verify the hash match
If the hash turns out to be the same for both the public key and the certificate, it means that the certificate was generated for a CSR created by that key.