2

I followed the instructions outlined here by amazon.

A quick summary:

  1. Created a private key openssl genrsa -out my-private-key.pem 2048

  2. Created a CSRopenssl req -sha256 -new -key my-private-key.pem -out csr.pem

Got a zip from the CA (Comodo in my case) which included

  • my-site.crt
  • three files representing the certificate chain.

Question 1: Running the following two commands to verify the certificate matches the private key I get different MD5 codes

openssl rsa -noout -modulus -in my-private-key.pem | openssl md5
openssl x509 -noout -modulus -in my-site.crt | openssl md5

I.e. the keys do not match. Any idea why?

Question 2: In many places I noticed that documentation asks to convert the key file to a pem file using the following command

openssl rsa -in my-private-key.pem -outform PEM > aws.private.pem

However the output file is exactly the same as the input. So why do it?

Same for the crt file I got from the CA

openssl x509 -inform PEM -in my-site.crt > aws.public.pem

Again the output file is exactly the same as the input only with different extension.

Are/Why are these two steps necessary?

Thanks

Improve this question
8
  • This question may be a little to specialist for this forum. You may have better luck on either Information Security or Stack Overflow.
    – Julian Knight
    Commented Jun 5, 2015 at 9:28
  • 1) This is weird, they should match. 2) If the input file and the output format are the same (PEM in your case, another option is DER), I don't see any reason for this. Maybe those guides want to ensure that the file is valid, thus contains only one entry of the desired type.
    – zakjan
    Commented Jun 5, 2015 at 11:14
  • @Julian - at the risk of one of those religious debates, Stack Overflow is for programming and development question. I would vote to close this if it landed on SO. I would recommend they visit SU because that's a place to get help with commands, like openssl rsa and openssl rsautl.
    – jww
    Commented Jun 8, 2015 at 3:24
  • @nsof - please state where you are getting the error message "The private key did not match the public key provided", and what you did to get into that state.
    – jww
    Commented Jun 8, 2015 at 3:26
  • @jww - when trying to upload to and Amazon Load Balancer. The problem is not related to them but rather to the fact that the MD5 codes are different. I have taken this with the Certificate Authority (Comodo) in my case. Perhaps something related to how I issued the CSR or something on their end.
    – nsof
    Commented Jun 8, 2015 at 7:24

1 Answer 1

Reset to default
1

Question 1

See my comment

Question 2

The first command (openssl rsa) removes the encryption from the keyfile (if there was one). This is neccesary, because webservers usually use an unencrypted keyfile.

The only thing the second command (openssl x509) might do is change the PEM header, but it is probably not needed that way. If you used -inform der on the command it would convert a binary certificate to a PEM (base64+header) encoded one.

The -outform PEM and -inform PEM switches of your commands are useless, by the way, as this is the default behaviour of openssl

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .