Cert-Key Match

From S23Wiki
Jump to: navigation, search

Handy script to check which keys match which certs if you got a bunch of them. Needs 'openssl' installed. Basically it checks to see if the Modulus and Exponents match.

Run like this:-

./cert_match.pl "*.crt" "*.key"

or

./cert_match.pl abc.crt abc.key

Output looks like:-

uka.crt matches: www.site.co.uk1.key
ukb.crt matches: www.site.co.uk2.key
ukc.crt matches: www.site.co.uk3.key
#!/usr/bin/perl

use Data::Dumper;

$certMatch = $ARGV[0];
$keyMatch = $ARGV[1];

@certs = `ls -1 $certMatch`;
@keys = `ls -1 $keyMatch`;


my %modulus;
my %exponent;

for ($i = 0 ; $i <= $#certs; $i++) {

        chomp $certs[$i];

        $cert = $certs[$i];

        open (CERT, "openssl x509 -noout -text -in $cert |");

        my $modulusFound = 0;
        my $modulus="";

        while (<CERT>) {

                if (/Exponent: (\d+)/) {
                        $modulus{$cert} = $modulus;
                        $exponent{$cert} = $1;
                        $modulusFound=0;
                }

                if (/\s*(\S+)/ && $modulusFound) {
                        $modulus.=$1;
                }

                if (/Modulus/) {
                        $modulusFound=1;
                }

        }


}

for ($i = 0 ; $i <= $#keys; $i++) {

        chomp $keys[$i];

        $key = $keys[$i];

        open (KEY, "openssl rsa -noout -text -in $key |");

        my $modulusFound = 0;
        my $modulus="";
        while (<KEY>) {

                if (/publicExponent: (\d+)/) {
                        $modulus{$key} = $modulus;
                        $exponent{$key} = $1;
                        $modulusFound=0;
                }

                if (/s*(\S+)/ && $modulusFound) {
                        $modulus.=$1;
                }

                if (/^modulus/) {
                        $modulusFound = 1;
                }

        }

}


for ($i = 0 ; $i <= $#certs; $i++) {


        $cert = $certs[$i];

        print "$cert matches: ";

        for ($j = 0; $j <= $#keys; $j++) {

                $key = $keys[$j];

                if ( ($modulus{$cert} eq $modulus{$key}) and ($exponent{$cert} eq $exponent{$key})) {

                        print $key;
                }
        }

        print "\n";

}

Alternate way

You can also use the openssl commands directly as such:-

[root@host01:Active] ssl # openssl x509 -in ssl.crt/www.site.co.uk.crt -noout -modulus
Modulus=E4701798C0BD4627593F
[root@host01:Active] ssl # openssl rsa -in ssl.key/www.site.co.uk.key -noout -modulus
Modulus=E4701798C0BD4627593F

If the modulus is the same, the key is the right one for the crt.