Question
How to verify that the SSL certificate has been signed by the associated key on a Cisco Email Security Appliance?
Environment: Cisco Email Security Appliance (ESA), all versions of AsyncOS
This Knowledge Base article references software which is not maintained or supported by Cisco. The information is provided as a courtesy for your convenience. For further assistance, please contact the software vendor.
Installing SSL certificates is a pre-requisite to encrypting receiving/delivery via TLS, and LDAP secure access. Certificates are installed via CLI command 'certconfig'. The certificate/key pair that you intend to install must comprise of a key that has signed the certificate. Not complying with this will result in failure to install certificate/key pair.
The following steps help verify whether the certificate has been signed with the associated key. Assume that you have an private key in a file called 'server.key' and a certificate in 'server.cer'.
- Make sure that the exponent fields of the certificate and key are the same. If this is not the case, then the key is not the signer. The following commands (run on any standard Unix machine with openssl) will help verify this.
$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key
Make sure the exponent field in certificate and key are the same. The exponent key should be equal to 65537.
- Run an MD5 hash on the modulus of both the certificate and key to ensure that they are the same.
$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5
If the two MD5 hashes are similar, then you can be assured that the key signed the certificate.
Related Links
http://www.modssl.org/docs/2.8/ssl_faq.html
Feedback