mide

Simple TLS Certificate Checks

Tuesday, September 19, 2017

Content Navigation

Motivation

If you're implementing a new certificate, or perhaps many certificates into an environment it's possible that the wrong files, or different versions of the right files get paired up.

Each file contains some metadata, and if the .key and .crt files aren't aligned, you may encounter errors. These commands are tools I've had in my toolbox for some time, and it's about time I document them.

Checking Local Certificates' Moduli

You can ensure the .crt and .key files go together by running the following commands to check their respective moduli.

% openssl x509 -noout -modulus -in io_mide_www.crt
Modulus=DD4DCF9933E7492718EDC1B0BA50EB8155571B9FBBA45A10B889CE437483FBA3D0FC11BEEC4461864DED5A502E60DD13E71866E5C40C7BC4522BADDEAE3F430A728F7D45BEBE9F9A82A2C450E101DC4961336DA459FF901EE059DB02803651CA920D80FCE603E78CF26B8796E53ECC4D323F1091EBACE98FAE92B28E5608387F3116EB72F3E4BF5C4FD5386D80FD88819D30890919BBBD01733275E2D6BE1D3298F1EE7E63C313C19DC962F24B8FB3F6867165E652088FE78A6D26108E0DDDBC4479F7BACC98ED6E019E724F926EE739D5819CCE4364613F7390FF2F99812A257A85E8823D5D0E6193E39FB44BCFF8042F38333952F3E8EF874BC0B84A0824CB

% openssl rsa -modulus -noout -in io_mide_www.key
Modulus=DD4DCF9933E7492718EDC1B0BA50EB8155571B9FBBA45A10B889CE437483FBA3D0FC11BEEC4461864DED5A502E60DD13E71866E5C40C7BC4522BADDEAE3F430A728F7D45BEBE9F9A82A2C450E101DC4961336DA459FF901EE059DB02803651CA920D80FCE603E78CF26B8796E53ECC4D323F1091EBACE98FAE92B28E5608387F3116EB72F3E4BF5C4FD5386D80FD88819D30890919BBBD01733275E2D6BE1D3298F1EE7E63C313C19DC962F24B8FB3F6867165E652088FE78A6D26108E0DDDBC4479F7BACC98ED6E019E724F926EE739D5819CCE4364613F7390FF2F99812A257A85E8823D5D0E6193E39FB44BCFF8042F38333952F3E8EF874BC0B84A0824CB

Or, if you want something just a little shorter to compare:

% openssl rsa -modulus -noout -in io_mide_www.key | shasum
ab20a5303e8ec55a316f5a17c7d9ab931114a69b  -

% openssl x509 -noout -modulus -in io_mide_www.crt | shasum
ab20a5303e8ec55a316f5a17c7d9ab931114a69b  -

Fetching Remote Certificates

If you want to perform the same modulus checks against live certificates, you can do the following:

# Full version
% echo | openssl s_client -showcerts -servername www.mide.io -connect www.mide.io:443 2>/dev/null | openssl x509 -noout -modulus
Modulus=DD4DCF9933E7492718EDC1B0BA50EB8155571B9FBBA45A10B889CE437483FBA3D0FC11BEEC4461864DED5A502E60DD13E71866E5C40C7BC4522BADDEAE3F430A728F7D45BEBE9F9A82A2C450E101DC4961336DA459FF901EE059DB02803651CA920D80FCE603E78CF26B8796E53ECC4D323F1091EBACE98FAE92B28E5608387F3116EB72F3E4BF5C4FD5386D80FD88819D30890919BBBD01733275E2D6BE1D3298F1EE7E63C313C19DC962F24B8FB3F6867165E652088FE78A6D26108E0DDDBC4479F7BACC98ED6E019E724F926EE739D5819CCE4364613F7390FF2F99812A257A85E8823D5D0E6193E39FB44BCFF8042F38333952F3E8EF874BC0B84A0824CB

# Short version
% echo | openssl s_client -showcerts -servername www.mide.io -connect www.mide.io:443 2>/dev/null | openssl x509 -noout -modulus | shasum
ab20a5303e8ec55a316f5a17c7d9ab931114a69b  -

That's it; I hope you find this useful. If you have something to add, please let me know.