How to Verify an RSA Private Key Matches a CSR and Certificate

This guide explains how to confirm that an RSA private key corresponds to a specific Certificate Signing Request (CSR) and the resulting SSL/TLS certificate using the OpenSSL command-line tool.

Core Principle

In RSA cryptography, the private key and the public key (which is embedded within both the CSR and the certificate) are mathematically linked by sharing the same modulus value. Verifying that the modulus is identical across the private key, CSR, and certificate confirms they form a matched set. This procedure is essential when troubleshooting installation errors like “Private Key and the Certificate do not match”.

Prerequisites

• You need OpenSSL installed on your system (Linux, macOS, or Windows via WSL/Cygwin).
• You have the private key file (e.g., mykey.key), the CSR file (e.g., mycsr.csr), and the certificate file (e.g., mycert.crt).

Verification Steps Using OpenSSL

1. Check Private Key Integrity (Recommended) Before comparing moduli, ensure the private key file itself is valid:

   openssl rsa -check -in mykey.key -noout
   

   If this command outputs “RSA key ok”, the key structure is likely sound. Address any errors before proceeding.

2. Extract and Compare Moduli You can compare the moduli by generating a hash of each or by comparing the full modulus output directly.

Method 1: Compare Modulus Hashes (Recommended: SHA-256)

Generate a SHA-256 hash of the modulus for each file. SHA-256 is preferred over the older MD5 algorithm for cryptographic integrity, although MD5 would still function for this specific comparison check.

• Private Key Modulus Hash:

  openssl rsa -noout -modulus -in mykey.key | openssl sha256
  

• CSR Modulus Hash:

  openssl req -noout -modulus -in mycsr.csr | openssl sha256
  

• Certificate Modulus Hash:

  openssl x509 -noout -modulus -in mycert.crt | openssl sha256
  

Compare the resulting SHA-256 hash strings. If all three are identical, the key, CSR, and certificate match.

Method 2: Compare Moduli Directly

Output the full modulus for each file into temporary text files and use a diff tool to compare them.

openssl rsa -noout -modulus -in mykey.key > key_mod.txt
openssl req -noout -modulus -in mycsr.csr > csr_mod.txt
openssl x509 -noout -modulus -in mycert.crt > cert_mod.txt

# Compare all three files (no output means they match)
diff3 key_mod.txt csr_mod.txt cert_mod.txt

# Or compare just two, e.g., key and certificate (no output means they match)
diff key_mod.txt cert_mod.txt

# Clean up temporary files
rm key_mod.txt csr_mod.txt cert_mod.txt

If diff or diff3 produces no output, the moduli are identical.

Important Considerations

• RSA Specific: This modulus comparison method applies specifically to RSA keys. Elliptic Curve Cryptography (ECC) keys require different verification techniques.
• Security: Never upload your private key to online verification tools. Perform these checks locally on a trusted machine to avoid compromising your key.
• Algorithm Evolution: Cryptographic standards are evolving. While RSA is still common, there is a move towards Post-Quantum Cryptography (PQC). The methods described here will not apply to PQC keys.
• OpenSSL Version: Ensure you are using an up-to-date and supported version of OpenSSL for security patches and modern algorithm support.
• Troubleshooting: If the moduli do not match, it usually means the private key file is not the one used to generate that specific CSR, or the certificate was not issued for that CSR. You may need to locate the correct key file or generate a new key/CSR pair and have the certificate reissued.

Need Assistance?

If you have any questions or require support, feel free to contact SSL.com:

• Email: Support@SSL.com
• Phone: 1-SSL-Certificate (1-775-237-8434)
• Live Chat: Available at the bottom right of this page

Thank you for choosing SSL.com!