This post is mostly a collection of commands to check SSL certificates and make sure they are what you think they are. Especially when things do not go as expected, these commands are handy to have around. First, some definitions. We call the signed certificate cert.crt, the private key server.key, the certificate sign request cert.csr and any intermediate/chain certificates chain.pem. Substitude in the commands below with your files. It’s assumed you have all these certificates in the PEM format, for easy use with Apache’s mod_ssl.
Checking if the CSR is actually a public key from your serverkey
You need to check the modulo of the private key and the certificate sign request. The output of these two commands should be the same if the csr is made with this server key.
$ openssl rsa -noout -modulus -in server.key | openssl md5
$ openssl req -noout -modulus -in cert.csr | openssl md5
Checking if a signed certificate is actually created from the CSR that you created
You need to check the modulo of both files. The output of the two commands should be the same.
$ openssl x509 -noout -modulus -in cert.crt | openssl md5
$ openssl req -noout -modulus -in cert.csr | openssl md5
Checking if a signed certificate is actually the public key from your serverkey
This should be obvious if you read the two items above. The output of both commands should be the same.
$ openssl x509 -noout -modulus -in cert.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5
Checking if the chain file actually applies to the signed certificate
openssl verify -CAfile chain.pem -verbose cert.crt
Output the details from a certificate sign request
openssl req -text -in cert.csr
Output the details from a signed certificate
openssl x509 -text -in cert.crt