Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Certificate and Private Key Pair

Is there any way I can check that a Certificate and Private Key match. I have tried to change the private key on a SSL client profile to test but no error message came back reporting mismatch.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Andrew,

it's simple.

Create a new SSL Client profile (Local Traffic ›› Profiles : SSL : Client ›› New Client SSL Profile...).

Then set in "Certificate Key Chain" your key and certificate then click finished.

If your key and certificate mismatch, you will have the following error:

profile /Common/aaaa's key and certificate do not match

Keep me update if it's ok for you. Regards

0
Comments on this Answer
Comment made 23-May-2018 by youssef 3512

Or you can do it using openssl:

How do I verify that a private key matches a certificate?

To verify that an RSA private key matches the RSA public key in a certificate you need to i) verify the consistency of the private key and ii) compare the modulus of the public key in the certificate against the modulus of the private key.

To verify the consistency of the RSA private key and to view its modulus: openssl rsa -modulus -noout -in myserver.key | openssl md5

To view the modulus of the RSA public key in a certificate: openssl x509 -modulus -noout -in myserver.crt | openssl md5

If the first command shows any errors, or if the modulus

FYI: https://support.comodo.com/index.php?/Knowledgebase/Article/View/684/17/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl

0
Comment made 23-May-2018 by andrewmjones 59

Thanks for the update but unfortunately I don't have a box titled "Certificate Key Chain" under

Local Traffic ›› Profiles : SSL : Client ›› New Client SSL Profile

I'm on version 11.4.1

0
Comment made 23-May-2018 by youssef 3512

Hello,

A ok in 11.4 you have to set a cert and key. But I don't konw in this version if mismatch check is done.

So test it create a new ssl profil client and set 2 différents key an cert.

0
Comment made 23-May-2018 by andrewmjones 59

Hi Youssef

I would have to say the check isn't done in that version as I don't get back an error message when I use another key. Do you what version is the check done in.

Andrew

0
Comment made 23-May-2018 by youssef 3512

Hello I'am in version 13.1.0.1 and i think you can do it in version 12 too.

But as I told you, you can do IT trough cli (openssl):

connect to F5 using CLI, then in /var/tmp/ copy you cert and key then run this command:

openssl x509 -noout -modulus -in server.crt | openssl md5

Now you will receive the modulus something like a77c7953ea5283056a0c9ad75b274b96

openssl rsa -noout -modulus -in myserver.key | openssl md5

Now you should get the modulus as same as certificate modulus above. i.e a77c7953ea5283056a0c9ad75b274b96

If the modulus of the certificate and the modulus of the private key do not match, then you're not using the right private key...

You can use this procedure?

regards

0