Getting a hash of the modulus of SSL keys and certificates is a nice simple way of making sure they match.
I’ve found lots of docs that tell you how to get the modulus of a private key, CSR or certificate, but I had trouble finding how to do the same for a public key, where the PEM-encoded file begins -----BEGIN PUBLIC KEY-----
. The public key is x509, but this openssl command produces an error because it’s expecting a certificate rather than a public key:
openssl x509 -noout -modulus -in mykey.public | openssl md5
unable to load certificate
140735178354768:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
(stdin)= d41d4e9400998ecf8cd98f00b208427e
The solution is simply to tell it that it’s a public key with the -pubin
switch:
openssl rsa -noout -modulus -pubin -in mykey.public | openssl md5
(stdin)= 6ab17b2db672280921e1c5fed6908187
(Hashes altered to protect the innocent!)