Verify SSL Key Pair Correspondence

TL;DR

Yes, you can verify that an encrypted SSL private key corresponds to a plain-text version without decrypting the encrypted one. You do this by generating a public key from the plain key and then checking if that public key can successfully encrypt data that the encrypted key’s corresponding private key can decrypt.

How to Verify SSL Key Pair Correspondence

1. Generate the Public Key from the Plain Private Key: Use OpenSSL to extract the public key from your plain-text (unencrypted) private key. This is a standard operation.

   openssl rsa -in plain_key.pem -pubout -out public_key.pem

2. Create Test Data: Generate some random data that you will use for the encryption/decryption test. The size of this data isn’t critical, but a few kilobytes is sensible.

   openssl rand -base64 1024 > test_data.txt

3. Encrypt the Test Data with the Public Key: Use OpenSSL to encrypt the test data using the public key you generated in step 1.

   openssl rsautl -encrypt -inkey public_key.pem -pubin -in test_data.txt -out encrypted_test_data.enc

4. Decrypt the Encrypted Test Data with the Encrypted Private Key: Use OpenSSL to decrypt the encrypted_test_data.enc file using your encrypted private key.

   openssl rsautl -decrypt -inkey encrypted_key.pem -in encrypted_test_data.enc -out decrypted_test_data.txt

5. Compare the Original and Decrypted Data: Compare the original test_data.txt file with the decrypted_test_data.txt file.

   You can use a simple command-line comparison tool like diff:

   diff test_data.txt decrypted_test_data.txt

   If the files are identical, it confirms that the encrypted private key corresponds to the plain private key.

Important Considerations

• Security: While this method doesn’t involve decrypting the encrypted private key, handle both keys (plain and encrypted) with extreme care. Protect them from unauthorized access.
• Key Format: This process assumes standard PEM-encoded RSA keys. If your keys are in a different format (e.g., PKCS#12), you may need to convert them to PEM before proceeding.
• Error Handling: The openssl commands might produce errors if the key files are corrupted or invalid. Pay attention to any error messages and investigate accordingly.