Certificate Key Matcher is an online tool that helps users verify the security of their SSL/TLS certificates. It enables users to compare their certificate's public key against the public key of their domain, helping to ensure the certificate is properly linked to the domain.
What are the benefits of using a Certificate Key Matcher?
It helps prevent man-in-the-middle attacks by verifying that the certificate is properly linked to the domain. It also helps users identify any potential misconfigurations in the SSL/TLS certificate and website, ensuring that the connection is properly secured. Additionally, it helps users detect any unauthorized certificates that have been issued for the domain, ensuring that the connection is secure and trustworthy.
Why do we need to use a Certificate Key Matcher?
The Certificate Key Matcher helps to ensure that the domain a user is connecting to is secure and trustworthy by verifying that the certificate presented by the website matches a known certificate. This way, users can be sure that the connection they are making is legitimate and not a phishing attempt.
A Certificate Key Matcher can be used to determine whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR). It can be difficult to keep track of which certificate corresponds to which private key or which CSR was used to generate which certificate when dealing with several different certificates. With the Certificate Key Matcher tool, it is easy to determine whether a private key matches a certificate or if a CSR matches a certificate.
By comparing the hash of the public key with the private key, the certificate, or the CSR, the Certificate Key Matcher is able to determine whether the keys are the same or not. Use the following OpenSSL commands to determine whether a certificate matches a private key, or whether a CSR matches a certificate on your own computer:
In the case of an openssl pkey, the parameters are: -in privateKey.key -pubout -outform pem | sha256sum
An example of how to run SSL X509 is: -in certificate.crt -pubkey -noout -outform pem | sha256sum
OpenSSL Requirement -in CSR.csr -pubkey -noout -outform PEM
The private key is intended to remain on the server. The process is made as secure as possible by encrypting the key when it is sent to the server using SSL, but for complete security we recommend that you manually check the public key hash of the private key on your server using the above OpenSSL commands.
The private key can also be checked for consistency if you are concerned that it has been altered. Hanno Böck explains how to trick Symantec with a fake private key in his article How I fooled Symantec with a Fake Private Key.
Use our SSL checker tool if you wish to verify the security of any website
