You can verify the integrity of an SSL certificate and private key pair with the OpenSSL utility and its command lines. 

The process consists of four steps:

  1. Verify that the private key has not been altered.
  2. Verify the modulus value matching with Private Key and SSL certificate pair
  3. Successfully perform encryption with the public key from certificate and decryption with the private key
  4. Confirm the integrity of the file, which is signed with the private key

Verify the private key integrity

Run the following command: openssl rsa -in [key-file.key] -check -noout

Here’s an example of a corrupt private key:

private key error

Other errors resulting from an altered/forged key are listed below:

  • RSA key error: p not prime
  • RSA key error: n does not equal p q
  • RSA key error: d e not congruent to 1
  • RSA key error: dmp1 not congruent to d
  • RSA key error: iqmp not inverse of q

If you encountered any of the above errors, your private key has been tampered with and may not work with your public key. Consider creating a new private key and requesting a replacement certificate.

Here’s an example of the private key which meets the integrity:

rsa key ok

Verify the modulus value matching with Private Key and SSL certificate pair

Note: The modulus of the private key and certificate must match exactly.

To view the certificate Modulus run the command:

openssl x509 -noout -modulus -in [certificate-file.cer]

To view the private key Modulus run the command:

openssl rsa -noout -modulus -in [key-file.key]

Encrypt with the public key from and decrypt with the private key

1. Get the public key from certificate:

openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cer

2. Encrypt test.txt file content using public key

Create a new file called test.txt file (you can use Notepad)  with the content “message test”. Perform the following command to create an encrypted message to cipher.txt file.

openssl rsautl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer -out cipher.txt

3. Decrypt from cipher.txt using the private key
Perform the following command to decrypt cipher.txt content.

openssl rsautl -decrypt -in cipher.txt -inkey [key-file.key]

Ensure that you can decrypt your cipher.txt file content to your terminal. The output from the terminal must match the content on the test.txt file.

If the content does not match, the private key has been tampered with and may not work with your public key. Consider creating a new private key and requesting a replacement certificate. Here’s an example of a decrypted message:

message test

4. Confirm the file integrity signed with the private key

Run the following command to sign the test.sig and test.txt file with your private key:

openssl dgst -sha256 -sign [key-file.key] -out test.sig test.txt

Now, verify the signed files with your public key extracted from step 1.

openssl dgst -sha256 -verify certificatefile.pub.cer -signature test.sig test.txt

Make sure that the output from the terminal is exactly like in the example below:

verified ok
If your private key is tampered with, you will receive the following message:

verification failure
In this case, you should create a new private key and request a replacement certificate.

Source: Digicert’s Knowledge Base