Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

I'm now testing the hyperledger/fabric/core/comm/testdata/certs/generate.go to get the ECDSA prime256v1 certificate(Org1-cert.pem) and private key(Org1-key.pem). I want to use a openssl command line to test if the Org1-cert.pem mathes the Org1-key.pem, but don't know how? Any help appreciated. I've used the command, but the results don't match the same.

# openssl x509 -pubkey -in Org1-cert.pem -noout | openssl md5
(stdin)= 4f8782bbec9d258553f0c0c7c6879fef
# openssl pkey -pubout -in Org1-key.pem | openssl md5
(stdin)= 98c3ec3c2971648f2721915ff7e80479
more info about Org1-cert.pem and Org1-key.pem below:
# openssl x509 -in Org1-cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            50:0a:7a:e4:31:6e:1b:57:68:48:26:d7:a0:c5:9c:da
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = California, L = San Francisco, O = Org1, CN = Org1
        Validity
            Not Before: Nov 13 09:09:06 2017 GMT
            Not After : Nov 11 09:09:06 2027 GMT
        Subject: C = US, ST = California, L = San Francisco, O = Org1, CN = Org1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                    04:ac:bb:17:91:91:1e:72:38:d2:aa:9a:2d:17:c8:
                    50:80:18:58:4a:a8:6a:40:0a:a8:2a:a8:58:33:46:
                    ae:2c:48:67:28:c7:af:59:09:92:01:68:15:cd:e5:
                    c0:84:d1:1e:3e:03:60:25:8b:55:89:3e:e9:e2:f1:
                    23:3e:e4:c4:c8
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                Any Extended Key Usage
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                01:02:03:04
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:b4:81:76:75:fe:a1:1c:14:94:3e:d6:eb:b3:
         43:02:27:32:46:2e:c0:6d:b7:94:3b:9d:a9:05:ad:c9:10:29:
         34:02:21:00:80:31:3c:00:18:b3:c0:be:1d:73:dc:ab:9b:aa:
         28:75:86:bc:2a:97:64:9d:65:5f:6f:6f:a0:c8:38:aa:2c:35
    # more Org1-key.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIDgnuzTIxFYZorg/lKBQxwpyXWH7zREzuO8Gle9p8CzQoAoGCCqGSM49
AwEHoUQDQgAEsYeTGiApHX1SJAZ7HmroVR1YNBH6wc0WqiNWO/N3XG/aWxksYLA8
s2asE88Z5EOWs1qMLig2nyv3CL0H2VI0zg==
-----END EC PRIVATE KEY-----
    # more Org1-cert.pem
-----BEGIN CERTIFICATE-----
MIIB8jCCAZegAwIBAgIQUAp65DFuG1doSCbXoMWc2jAKBggqhkjOPQQDAjBYMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
YW5jaXNjbzENMAsGA1UEChMET3JnMTENMAsGA1UEAxMET3JnMTAeFw0xNzExMTMw
OTA5MDZaFw0yNzExMTEwOTA5MDZaMFgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRPcmcx
MQ0wCwYDVQQDEwRPcmcxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErLsXkZEe
cjjSqpotF8hQgBhYSqhqQAqoKqhYM0auLEhnKMevWQmSAWgVzeXAhNEePgNgJYtV
iT7p4vEjPuTEyKNDMEEwDgYDVR0PAQH/BAQDAgGmMA8GA1UdJQQIMAYGBFUdJQAw
DwYDVR0TAQH/BAUwAwEB/zANBgNVHQ4EBgQEAQIDBDAKBggqhkjOPQQDAgNJADBG
AiEAtIF2df6hHBSUPtbrs0MCJzJGLsBtt5Q7nakFrckQKTQCIQCAMTwAGLPAvh1z
3Kubqih1hrwql2SdZV9vb6DIOKosNQ==
-----END CERTIFICATE-----
You can verify that a certificate and any supported key (including an ECDSA prime256v1 key) match using OpenSSL.
This command will get the public key from the certificate:
openssl x509 -noout -pubkey -in Org1-cert.pem
This command will get the public key from the key:
openssl pkey -pubout -in Org1-key.pem
You can compare them visually...
OR you can automate the comparison of any cert and key as follows with Bash:
Create a script called verify-cert-key:
#!/usr/bin/env bash
certFile="${1}"
keyFile="${2}"
certPubKey="$(openssl x509 -noout -pubkey -in "${certFile}")"
keyPubKey="$(openssl pkey -pubout -in "${keyFile}")"
if [[ "${certPubKey}" == "${keyPubKey}" ]]
  echo "PASS: key and cert match"
  echo "FAIL: key and cert DO NOT match"
Make the script executable:
chmod +x verify-cert-key
Run it:
./verify-cert-key Org1-cert.pem Org1-key.pem
CAVEAT: openssl on macOS Sierra doesn't have pkey
On macOS Sierra, the script may say "FAIL: key and cert DO NOT match" even if they do.
Verify that pkey is missing:
openssl pkey -in
If it is missing, you will see this:
openssl:Error: 'pkey' is an invalid command.
Followed by tons of other usage summary output from OpenSSL. 
You may also see "openssl:Error: 'pkey' is an invalid command." 
If pkey is missing, you'll need install a newer openssl and set your PATH accordingly.
I installed a newer OpenSSL with Homebrew and set my PATH like this:
export PATH=/usr/local/Cellar/openssl/1.0.2m/bin/:$PATH
Verify that pkey is available:
openssl pkey -in
This should show pkey usage summary:
Usage pkey [options]
where options are
Now the script should work as expected.
                Thanks it works. You can also verify the MD5 of both outputs by adding, at the end of both lines, the following | openssl md5
– Aschwin
                Jul 16, 2020 at 12:39
                @Aschwin not sure what comparing the md5's will achieve other than reducing certainty in the assessment given md5's potential for collisions.
– Alain O'Dea
                Jul 16, 2020 at 15:40
                Hi @AlainO'Dea, it just produces a checksum as a oneliner. So you are able to compare both single checksums instead of keys consisting of a few lines. That's it.
– Aschwin
                Jul 18, 2020 at 15:02
                Is the script saying "PASS..." or "FAIL..." somehow insufficient for that purpose? I don't actually expect people to visually diff them themselves which is why I provided the script.
– Alain O'Dea
                Jul 18, 2020 at 19:00
What you need to do is read the certificate and private key and check if the public key of the certificate matches the public key in the private key.
openssl x509 -in signcerts/peer.pem -text -noout
        Version: 3 (0x2)
        Serial Number:
            04:45:70:b1:2c:74:4e:6a:9d:6f:33:70:95:e3:41:07:3a:08:4f:4c
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, ST=California, L=San Francisco, O=Internet Widgets, Inc., OU=WWW, CN=example.com
        Validity
            Not Before: Nov 11 17:07:00 2016 GMT
            Not After : Nov 11 17:07:00 2017 GMT
        Subject: C=US, ST=North Carolina, L=Raleigh, O=Hyperledger Fabric, OU=COP
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                    04:1c:1b:8a:b0:03:b8:de:1b:38:24:6a:45:7e:21:
                    8c:90:1f:f1:b0:82:d3:b0:eb:e6:37:65:a6:c2:9b:
                    0f:1d:93:4b:eb:0f:07:59:ed:f1:08:f4:2d:74:6f:
                    d7:24:9b:d9:f8:2e:f9:e8:a1:2c:50:13:37:cb:0e:
                    4f:4d:f9:2e:f2
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                E1:42:75:C5:19:E1:EB:37:96:D8:82:80:05:43:A3:22:DF:56:93:C8
            X509v3 Authority Key Identifier: 
                keyid:17:67:42:3D:AA:9E:82:3F:C4:C5:1D:9F:5B:C3:99:D1:B5:9C:48:10
            X509v3 Subject Alternative Name: 
                DNS:myhost.com, DNS:www.myhost.com
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:37:fd:1d:b9:78:c6:7d:f3:e0:4c:0d:2a:68:a5:
         33:d9:57:d8:5a:b8:8d:6a:40:69:15:41:f7:b3:a6:54:47:b2:
         02:21:00:db:96:83:3d:01:c6:1a:ad:80:be:12:93:d3:0b:ed:
         d3:c7:17:d4:64:c6:08:86:df:9a:e2:e9:33:02:90:8f:7f
priv:
    0b:16:c0:5b:a7:13:3a:b3:d5:18:7a:9e:f0:f8:32:
    23:e4:28:2b:66:a3:1c:e1:de:34:ea:b8:6e:4c:49:
    b7:8b
    04:1c:1b:8a:b0:03:b8:de:1b:38:24:6a:45:7e:21:
    8c:90:1f:f1:b0:82:d3:b0:eb:e6:37:65:a6:c2:9b:
    0f:1d:93:4b:eb:0f:07:59:ed:f1:08:f4:2d:74:6f:
    d7:24:9b:d9:f8:2e:f9:e8:a1:2c:50:13:37:cb:0e:
    4f:4d:f9:2e:f2
ASN1 OID: prime256v1
                Thanks a lot. I know the reason. It's useful for CA cert and private key signed by root cert. Is there any way to verify the root cert and the corresponding private key? For "X509v3 Basic Constraints: critical                 CA:TRUE" while not FALSE?
– yudizou
                Nov 14, 2017 at 2:32
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.