Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
chauhanm
Staff
Staff

Created on ‎08-22-2025 08:35 AM Edited on ‎08-22-2025 09:36 AM By Moderator

Article Id 407585

Technical Tip: How to identify if the corresponding Private key matches with the certificate

Description

This article describes how to use OpenSSL to identify if the corresponding Private key matches with the certificate.
Scope FortiGate.
Solution

This article assumes an installed version of the third-party program 'OpenSSL' is present.

 

Requirements:

  • Third-party program 'OpenSSL'.
  • Client/Server Certificate Signed by the CA.
  • Private Key.

This article will use the OpenSSL to compare the hash/modulus of the Certificate and the Private key.

 

First, install OpenSSL for windows.
Copy the templates previously created to the OpenSSL folder. Then, open the command line as an administrator and navigate to the OpenSSL folder.
For example: C:\openssl\bin.

 

To check if a certificate and private key match using OpenSSL, compare the modulus of the public key extracted from both the certificate and the private key. If the modulus values are identical, the certificate and private key match.

 

Have the certificate and the private key in the same directory as OpenSSL Install. Otherwise, specify the path of the certificate and private key while generating the hashes.

 

Steps:

  1. Extract the modulus from the certificate.

 

openssl x509 -noout -modulus -in certificate.crt | openssl md5

 

Example:

 

C:\openssl\bin>openssl x509 -noout -modulus -in certificate.crt | openssl md5
MD5(stdin)= b998b97dd97eff0c0a78e6c00c0943be

 

Replace certificate.crt with the actual path to the certificate file.

 

  1. Extract the modulus from the private key:

openssl rsa -noout -modulus -in private.key | openssl md5

 

Example:

 

C:\openssl\bin>openssl rsa -noout -modulus -in private.key | openssl md5
MD5(stdin)= b998b97dd97eff0c0a78e6c00c0943be

 

Replace private.key with the actual path to the private key file.
If the private key is encrypted, it will prompt for the passphrase. Compare the MD5 hashes.

 

Note: This method works for RSA keys. For ECDSA keys, It would use openssl ec instead of openssl rsa for extracting the modulus from the private key.

 

Example:

 

C:\openssl\bin>openssl ec -in ecdsa_private.key -pubout | openssl md5
MD5(stdin)= 25dd93795b65002dc238a7d6d66d17d6

 

C:\openssl\bin>openssl x509 -noout -pubkey -in fortinet.crt | openssl md5
MD5(stdin)= 25dd93795b65002dc238a7d6d66d17d6


The principle of comparing the modulus (or public key parameters) remains the same.

 

Note that OpenSSL is not supported or endorsed by Fortinet. In this article, OpenSSL is used to generate the modulus of the certificate and the private key to confirm if it is a match.
208
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.