Verify the Integrity of an SSL/TLS certificate and Private Key Pair (2024)

It's a three-part process to confirm the integrity of a key pair:

Verify the integrity of a private key - that hasnotbeentamperedwith.
Verify the modulus of bothprivate and public key match.
Successfullyperform encryptionwith the public key from the certificate and decryption with the private key.
Confirm theintegrity of the filewhich is signed with the private key.

Use OpenSSL to confirm the Private Key's Integrity

openssl rsa -in [key-file.key] -check -noout

Confirm the Modulus Value Matching with Private Key and SSL/TLS certificate Key Pair

Note:The modulusof the private key and certificate must match exactly.

To view the certificate Modulus:
openssl x509 -noout -modulus -in [certificate-file.cer]

To view the private key Modulus:
openssl rsa -noout -modulus -in [key-file.key]

Perform Encryption with Public Key from certificate and Decryption with Private Key

Get the public key from the certificate
openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cerExample content of public key certificatefile.pub.cer file:
Encrypt test.txt file content using the public key
Create a new file called test.txt file with the content "message test". Perform the following command tocreate an encrypted messageto cipher.txt file.

openssl pkeyutl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer-out cipher.txt

Example output of cipher.txt:
Decrypt from cipher.txt using the private key
Perform the following command to decrypt cipher.txt content.
openssl pkeyutl -decrypt -in cipher.txt -inkey [key-file.key]Confirm that you are able to decrypt your cipher.txt file content to your terminal.
Make sure that the output from the terminal is matching the content on test.txt file.
If the contentdoes not match, then theprivate key has beenmanipulatedandmay not work with your public key. Consider creating a new private key and requesting areplacement certificate.

Example output of successful decrypted message:
Confirming the integrity of file which is signed with private key
Perform following command to sign test.sig and test.txt file with your private key
openssl dgst -sha256 -sign [key-file.key] -out test.sig test.txt
Verify the signed files with your public key that was extracted from step1. Get public key from certificate.
openssl dgst -sha256 -verify certificatefile.pub.cer -signature test.sig test.txt
Make sure that the output from terminal shows up like the example below.
An example that meets the integrity:
If you receive the below message, then yourprivate key has beenmanipulatedandmay not work with your public key. Consider creating a new private key and requesting areplacement certificate.

An example that does not meet the integrity:

FAQs

Verify the Integrity of an SSL/TLS certificate and Private Key Pair? ›

To verify that an RSA private key matches the RSA public key in a certificate you need to i) verify the consistency of the private key and ii) compare the modulus of the public key in the certificate against the modulus of the private key. If it doesn't say 'RSA key ok', it isn't OK!"

Read On ›

How to validate SSL certificate and private key? ›

Discover More Details ›

How to verify TLS certificate? ›

Go to a site where TLS inspection is applied by your web filter. Verify the building icon is in the address bar. Click it to see details about permissions and the connection. (Optional) To see details about the certificate, click Certificate information.

How do I know if my SSL certificate is trusted? ›

To check an SSL certificate on any website, all you need to do is follow two simple steps.

First, check if the URL of the website begins with HTTPS, where S indicates it has an SSL certificate.
Second, click on the padlock icon on the address bar to check all the detailed information related to the certificate.

See Details ›

Which method can be used to verify the authenticity of an SSL certificate? ›

SSL verification follows a specific process and involves several steps. Firstly, the browser checks if the SSL certificate is valid and has not expired. It then verifies the digital signature of the certificate using the public key of the certificate authority (CA) that issued it.

Find Out More ›

How do I match my SSL certificate and key? ›

You can verify the SSL Certificate information by comparing either with CSR or Private Key. To match SSL with CSR, select CSR file option. Now copy the encrypted data of SSL certificate & CSR & add them into their respective box and press Check button. To match SSL with Private Key, select the Private Key option.

Tell Me More ›

How do I make my SSL certificate valid? ›

For an SSL certificate to be valid, domains need to obtain it from a certificate authority (CA). A CA is an outside organization, a trusted third party, that generates and gives out SSL certificates. The CA will also digitally sign the certificate with their own private key, allowing client devices to verify it.

Show Me More ›

How do I check my TLS and SSL settings? ›

Click Start or press the Windows key. In the Start menu, either in the Run box or the Search box, type regedit and press Enter. The Registry Editor window should open and look similar to the example shown below. Check the subkeys for each SSL/TLS version for both server and client.

Explore More ›

Why is my TLS certificate unable to validate? ›

Reasons of Invalid TLS/SSL Certificate Error

One of the most common reasons behind a TLS/SSL error is misconfiguration of your certificate during installation. If you have made any mistake during the certificate's installation, there is no way for the browser to verify your business identity properly.

How to verify a certificate is valid? ›

Chrome:

Enter the URL of the website you want to check in your browser's address bar and press Enter.
Click on the padlock icon in the address bar.
Click on Connection is secure.
Click on Certificate is valid to open the Certificate Viewer.

Oct 18, 2022

Show Me More ›

How do I authenticate an SSL certificate? ›

With SSL, authentication is performed by an exchange of certificates, which are blocks of data in a format described in ITU-T standard X. 509. The X. 509 certificates are issued, and digitally signed by an external authority known as a certificate authority.

Read The Full Story ›

How do I get a verified SSL certificate? ›

How to Get an SSL Certificate

Verify the website's information through ICANN Lookup.
Generate the Certificate Signing Request (CSR).
Submit the CSR to the Certificate authority to validate the domain.
Install the certificate on the website.

Apr 8, 2024

See Details ›

How can I verify SSL certificates on the command line? ›

In the command line, enter openssl s_client -connect <hostname> : <port> . This opens an SSL connection to the specified hostname and port and prints the SSL certificate. Check the availability of the domain from the connection results.

Get More Info Here ›

How to verify SSL certificate with private key? ›

It's a three-part process to confirm the integrity of a key pair:

Verify the integrity of a private key - that has not been tampered with.
Verify the modulus of both private and public key match.
Successfully perform encryption with the public key from the certificate and decryption with the private key.

More items...

Jul 13, 2024

How to check TLS certificate? ›

Here's how to do it.

Open Chrome Developer Tools. The quickest way there is with a keyboard shortcut: OS. Keyboard. Shortcuts. Windows and Linux. Ctrl + Shift + i. F12. Mac. ⌘ + Option + i. ...
Select the Security tab. If it is not shown, select the >> as shown below.
Select View Certificate.

How are TLS certificates verified? ›

Authentication. The server sends the public key in the SSL/TLS certificate to the browser. The browser verifies the certificate from a trusted third party. Hence, it can verify that the web server is who it claims to be.

View Details ›

How do you tell if a certificate includes a private key? ›

Click Domains > your domain > SSL/TLS Certificates. You'll see a page like the one shown below. The key icon with the message “Private key part supplied” means there is a matching key on your server. To get it in plain text format, click the name and scroll down the page until you see the key code.

How does SSL verify a certificate? ›

The web server sends the browser/server a copy of its SSL certificate. The browser/server checks to see whether or not it trusts the SSL certificate. If so, it sends a message to the web server. The web server sends back a digitally signed acknowledgement to start an SSL encrypted session.

Learn More ›

How to combine SSL certificate with private key? ›

To concatenate your certificate with your private key:

Generate CSR. openssl req -new -newkey rsa:2048 -nodes -keyout path:\server.key -out path:\server_csr.txt.
Download the certificate with your chain from SCM (eg: my_certificate.cer)
Concatenate the certificates with your private key:

Discover More Details ›

Is the private key included in the SSL certificate? ›

Note: At no point in the SSL process does The SSL Store or the Certificate Authority have your private key. It should be saved safely on the server you generated it on. Do not send your private key to anyone, as that can compromise the security of your certificate.

Show Me More ›