If you workwith multiple SSL certificates, you may encounter the following problem: it isnot clear which certificate corresponds to a particular private key.
The same istrue for CSR - it is not always clear which CSR corresponds to a particularprivate key.
You mayalso encounter the following error: "Private Key and the Certificate donot match". There may be other errors when trying to install a certificateon the server.
Note: TheSSL certificate can be installed on the server ONLY with the private key thatwas generated during the corresponding CSR request when ordering thecertificate. If the private key does not match the certificate, then in thiscase you will not be able to install the certificate on the server. The controlpanel will display an error about the mismatch of the key/certificate pair.
This rulehas been established by the SSL industry to ensure security and prevent theissuance of fake certificates.
How to verifycompliance of SSL certificates with their CSR and private keys
Checkingthe compliance of SSL certificates with their CSRs and private keys is easyusing OpenSSL commands.
Display themodulus values (modulus are internal data stored in the CSR, SSL certificateand private key) for the private key, CSR and SSL certificate, and then convertthem into md5 hashes so that they can be compared.
The commandto display the SSL certificate modulus:
$ opensslx509 -noout -modulus -in ssl_certificate.crt | openssl md5
The commandto display the private key modulus:
$ opensslrsa -noout -modulus -in private.key | openssl md5
Command to displaythe CSR modulus:
$ opensslreq -noout -modulus -in csr_request.csr | openssl md5
If the valuesof the modulus are identical, then the certificate, private key and CSRcorrespond to each other.
